security-constraint url-pattern not working

[Christian Sell <ch...@netcologne.de>]

Hello,

The following url-pattern in a security-constraint in my WEB.XML causes the
page WCPAdmin.jsp (which resides in a subdirectory below the context root)
to be protceted  under Orion and JRun, whereas Tomcat lets me access it
without any constraints:

<url-pattern>*/WCFAdmin.jsp</url-pattern>

If I change the pattern to:

<url-pattern>/jsp/admin/*</url-pattern>

all servers behave equal, protecting all pages in the given subdirectory.
Now, I wonder why Tomcat ignored the first specification. I suppose this is
a bug, but on whose side (JRun & Orion, Tomcat or mine)

regards,
Christian

Re: security-constraint url-pattern not working

[Chris Fox <cs...@extra.net>]

minor issue:
I am not sure if this is a known issue but i found this problem today.

I have a docBase=/user/home/xxx/aplication

and I have placed a security-constraint

<url-pattern>/user/*</url-pattern>

in the $docBase/WEB-INF/web.xml file 
to protect files in this $docBase/user directory

the problem is that tomcat will protect the entire web (from the top)
and not just the $docBase/user directory that i intended to protect
as i believe tomcat matches the /user pattern in the root directory
and not the $docBase/user pattern

i got around it by changing the protecting directory to $docBase/xuser 

Chris

RE: security-constraint url-pattern not working

[CPC Livelink Admin <cp...@fitzpatrick.cc>]

This was discussed earlier.  Here is a snippet from the post by Craig
McClanahan :

In your <security-constraint>, you are specifying <url-pattern> entries that
are
not legal according to the servlet specification (such as "*/WCFAdmin.jsp"
and
"*/wcfsystem").  The legal syntax only allows "*" wildcards at the *end* of
the
URL, not the beginning.  If JRun supports these values, it is doing so
outside
of the servlet spec, and is therefore not portable.

For more information on the legal syntax for URL patterns, and pretty much
everything else that is mandated about servlets, see the Servlet API
Specification, version 2.2, which you can download from
<http://java.sun.com/products/servlet/download.html>.


Regards,
Paul


-----Original Message-----
From: Christian Sell [mailto:christian.sell@netcologne.de]
Sent: Sunday, December 10, 2000 04:07 PM
To: tomcat-user@jakarta.apache.org
Subject: security-constraint url-pattern not working


Hello,

The following url-pattern in a security-constraint in my WEB.XML causes the
page WCPAdmin.jsp (which resides in a subdirectory below the context root)
to be protceted  under Orion and JRun, whereas Tomcat lets me access it
without any constraints:

<url-pattern>*/WCFAdmin.jsp</url-pattern>

If I change the pattern to:

<url-pattern>/jsp/admin/*</url-pattern>

all servers behave equal, protecting all pages in the given subdirectory.
Now, I wonder why Tomcat ignored the first specification. I suppose this is
a bug, but on whose side (JRun & Orion, Tomcat or mine)

regards,
Christian