You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2007/03/14 17:35:54 UTC
DO NOT REPLY [Bug 41843] New: - weak accesses blocking behaviour
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41843>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41843
Summary: weak <security-constraint> accesses blocking behaviour
Product: Tomcat 5
Version: 5.5.20
Platform: Other
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Webapps:Administration
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: giampow@libero.it
using Tomcat 5.5.20, in my web.xml I added
<security-constraint>
<web-resource-collection>
<web-resource-name>private</web-resource-name>
<url-pattern>/private/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>No Access</description>
</auth-constraint>
</security-constraint>
but if in the webapp docBase a directory with "private" name exists,
it doesn't block access to it.
Otherwise, if no directory with "private" name exists in the docBase, it works fine.
In Tomcat 5.5.9 it works always fine, since it blocks accesses either if
"private" directory exists or not.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 41843] - weak accesses blocking behaviour
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41843>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41843
------- Additional Comments From remm@apache.org 2007-03-14 16:15 -------
I think your report is invalid (most likely, you have a "private" webapp
deployed). Please provide a ready to test war which demonstrates the issue.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 41843] - weak accesses blocking behaviour
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41843>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41843
------- Additional Comments From giampow@libero.it 2007-03-15 03:08 -------
(In reply to comment #1)
> I think your report is invalid (most likely, you have a "private" webapp
> deployed). Please provide a ready to test war which demonstrates the issue.
I think maybe the problem is in my server.xml:
in that file I use
<Host name="localhost" appBase="webapps/test">
<Context path="" docBase=""/>
</Host>
where appBase and docBase are the same.
Under webapps/test folder I have folders
|
---private
---WEB-INF
so when I call /private
Tomcat uses the /private context, not the / as I expected
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 41843] - weak accesses blocking behaviour
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41843>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41843
remm@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
------- Additional Comments From remm@apache.org 2007-03-15 04:04 -------
For obvious reasons, the setup with autoDeploy enabled on the host, and an empty
docBase is totally wrong.
The Servlet 2.5 specification clarified that web.xml is not actually mandatory
in a webapp, so I adopted the clarified behavior in Tomcat 5.5 as well.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 41843] - weak accesses blocking behaviour
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41843>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41843
------- Additional Comments From giampow@libero.it 2007-03-15 03:23 -------
I have forgotten to specify in the "private" folder I don't have a WEB-INF
folder with corresponding web.xml so it should not be treated as a /private context
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org