You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Dennis van den Berg <De...@triodos.nl> on 2002/06/11 13:02:46 UTC

security-constraints

Hi all,

According to the servlet 2.3 specs, the longest path-prefix is used when determining which servlet-mapping or which security-constraint is to be used.

However when I specify the following security-constraint's:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Collection1</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>role1</role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Collection2</web-resource-name>
      <url-pattern>/view/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>role2</role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

A user which is in role2 is denied access to url's which start with /view/*, and it seems that the order in which I specify the security-constraint's mathers?

Am I missing something?

Thanks,


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: security-constraints

Posted by "Craig R. McClanahan" <cr...@apache.org>.


On Tue, 11 Jun 2002, Dennis van den Berg wrote:

> Date: Tue, 11 Jun 2002 13:02:46 +0200
> From: Dennis van den Berg <De...@triodos.nl>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: tomcat-user@jakarta.apache.org
> Subject: security-constraints
>
> Hi all,
>
> According to the servlet 2.3 specs, the longest path-prefix is used when
> determining which servlet-mapping or which security-constraint is to be
> used.
>

Tomcat actually implements "first matching security constraint", rather
than "longest matching security constraint", so you need to swap the order
of these two in order to get what you want.

Clarifying the rules for this is under discussion for Servlet 2.4.

Craig


> However when I specify the following security-constraint's:
>
>   <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>Collection1</web-resource-name>
>       <url-pattern>/*</url-pattern>
>     </web-resource-collection>
>     <auth-constraint>
>       <role-name>role1</role-name>
>     </auth-constraint>
>     <user-data-constraint>
>       <transport-guarantee>NONE</transport-guarantee>
>     </user-data-constraint>
>   </security-constraint>
>   <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>Collection2</web-resource-name>
>       <url-pattern>/view/*</url-pattern>
>     </web-resource-collection>
>     <auth-constraint>
>       <role-name>role2</role-name>
>     </auth-constraint>
>     <user-data-constraint>
>       <transport-guarantee>NONE</transport-guarantee>
>     </user-data-constraint>
>   </security-constraint>
>
> A user which is in role2 is denied access to url's which start with /view/*, and it seems that the order in which I specify the security-constraint's mathers?
>
> Am I missing something?
>
> Thanks,
>
>
> --
> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>