You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2004/03/21 08:24:34 UTC

DO NOT REPLY [Bug 27820] New: - SecurityConstraint.findAuthRoles()

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=27820>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=27820

SecurityConstraint.findAuthRoles()

           Summary: SecurityConstraint.findAuthRoles()
           Product: Tomcat 5
           Version: 5.0.19
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Unknown
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: Nils_Kilden-Pedersen@countrywide.com


The description for SecurityConstraint.findAuthRoles() states that 
"Return the set of roles that are permitted access to the resources protected by
this security constraint. If none have been defined, a zero-length array is
returned (which implies that all authenticated users are permitted access)."

Reading the servlet 2.4 spec, it states that 
"An authorization constraint that names no roles indicates that access to the
constrained requests must not be permitted under any circumstances." 

This seems opposite of the findAuthRoles() description. I haven't checked how
that method is actually being used, so I don't know if it's a security risk, but
the description is obviously wrong.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org