tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Request not forwarded to login page with security-constraintafter session time-out
Date Thu, 26 Feb 2009 23:29:34 GMT
Caldarale, Charles R wrote:
>> From: Mark Thomas [mailto:markt@apache.org]
>> Subject: Re: Request not forwarded to login page with
>> security-constraintafter session time-out
>>
>> If "*" is all roles defined and you have no roles
>> defined then you are basically preventing anyone
>> from accessing that resource
> 
> That's not quite what it says.  The actual wording:
> 
> "The special role name "*" is a shorthand for all role names defined in the deployment
descriptor.  An authorization constraint that names no roles indicates that access to the
constrained requests must not be permitted under any circumstances."

I think the current implementation follows from that. "*" is all roles
defined. If there no roles defined then the auth constraint names no
roles and all users are blocked.

> In the OP's case, the authorization constraint does name roles, albeit just the shorthand
version.

"*" makes no sense in
<security-role><role-name>*</role-name></security-role>

I suspect what Tomcat is doing is creating a role named "*". Since no
user has been assigned to that role, no user is permitted access.

What the spec is not explicit about is the combination of "*" with an
empty or non-existant <security-role> list.

I think it is quite clear. It means no-one gets access.

The OP (and others) have interpreted the "*" and no <security-role> list
to indicate no roles are needed for authorization.

Indeed. So did Tomcat for many versions.

For all we know, the intent of the spec writers may have been to allow that.

I know that that was not the intent. The current behaviour was the intent.

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message