You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by "Nam T. Nguyen" <Th...@borland.com> on 2005/11/21 10:21:10 UTC
Bug in Combining Authorization Constraints
Hi
I have two <security-constraint> elements in my deployment descriptor.
One has auth-constraint <role-name>*</role-name>, and the other does not
have any <auth-constraint>. They both have a same <url-pattern>.
By SRV.12.8.1 Combining Constraints:
<quote>
A security constraints that does not contain an authorization constraint
shall combine with authorization constraints that name or imply roles to
allow unauthenticated access.
</quote>
Applying to the attached .war file, my interpretation of this is access
to /index.jsp is accepted. However, Tomcat 5.5.12 returns status code
401 (Authorization Required).
Cheers
Nam
--
Random humorous quote: Work is the greatest thing in the world, so save
some for tomorrow.
Re: Bug in Combining Authorization Constraints
Posted by Bill Barker <wb...@wilshire.com>.
This should be fixed in the SVN trunk, and will appear in 5.5.13.
Thanks for reporting this!
----- Original Message -----
From: "Nam T. Nguyen" <Th...@borland.com>
To: <de...@tomcat.apache.org>
Sent: Monday, November 21, 2005 1:21 AM
Subject: Bug in Combining Authorization Constraints
Hi
I have two <security-constraint> elements in my deployment descriptor.
One has auth-constraint <role-name>*</role-name>, and the other does not
have any <auth-constraint>. They both have a same <url-pattern>.
By SRV.12.8.1 Combining Constraints:
<quote>
A security constraints that does not contain an authorization constraint
shall combine with authorization constraints that name or imply roles to
allow unauthenticated access.
</quote>
Applying to the attached .war file, my interpretation of this is access
to /index.jsp is accepted. However, Tomcat 5.5.12 returns status code
401 (Authorization Required).
Cheers
Nam
--
Random humorous quote: Work is the greatest thing in the world, so save
some for tomorrow.
--------------------------------------------------------------------------------
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments.
In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org