You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by anita kulshreshtha <a_...@yahoo.com> on 2007/01/20 04:41:56 UTC
Extension pattern, i.e. *.do in security constraints
We do not allow this combintaion of URL patterns in
web-resource-collection. This is in line with JACC
http://java.sun.com/j2ee/1.4/docs/api/javax/security/jacc/WebResourcePermission.html
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Role</web-resource-name>
<url-pattern>*.do</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>content-administrator</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Unrestricted ACCESS</web-resource-name>
<url-pattern>/login.do</url-pattern>
</web-resource-collection>
</security-constraint>
The following url-patterns are allowed with *.do -
- /login/*, /login.do/* , i.e. path prefix patterns
- login.do, i.e. Exact patterns matching *.do
- login.do/, login.do/*
Does anyone know why the above web.xml fragment should or should
not be allowed?
Thanks
Anita
____________________________________________________________________________________
Get your own web address.
Have a HUGE year through Yahoo! Small Business.
http://smallbusiness.yahoo.com/domains/?p=BESTDEAL
Re: Extension pattern, i.e. *.do in security constraints
Posted by David Jencks <da...@yahoo.com>.
OK, I fixed this in GERONIMO-2763 in trunk.
Everyone will need to get the newest jacc 1.1 snapshot I pushed for
the new web-2.5-builder test to pass.
I haven't looked into what is necessary to fix the jacc 1.0 spec
jar.... maybe dain can help with this (I'm unsure what the correct
process for modifying this would be)
thanks
david jencks
On Jan 20, 2007, at 3:06 AM, anita kulshreshtha wrote:
> This was reported in
> https://issues.apache.org/jira/browse/GERONIMO-1585#action_12436703
> Please note that the presence/absence of authorization constraint
> and a role ( same or different ) in second security constraint does
> not make any difference.
>
> Thanks
> Anita
>
> --- David Jencks <da...@yahoo.com> wrote:
>
>> It looks to me as if it should be allowed. What is the error?
>>
>> thanks
>> david jencks
>>
>> On Jan 19, 2007, at 7:41 PM, anita kulshreshtha wrote:
>>
>>> We do not allow this combintaion of URL patterns in
>>> web-resource-collection. This is in line with JACC
>>> http://java.sun.com/j2ee/1.4/docs/api/javax/security/jacc/
>>> WebResourcePermission.html
>>>
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name>Admin Role</web-resource-name>
>>> <url-pattern>*.do</url-pattern>
>>> </web-resource-collection>
>>> <auth-constraint>
>>> <role-name>content-administrator</role-name>
>>> </auth-constraint>
>>> </security-constraint>
>>>
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name>Unrestricted
>> ACCESS</web-resource-name>
>>> <url-pattern>/login.do</url-pattern>
>>> </web-resource-collection>
>>> </security-constraint>
>>>
>>> The following url-patterns are allowed with *.do -
>>> - /login/*, /login.do/* , i.e. path prefix patterns
>>> - login.do, i.e. Exact patterns matching *.do
>>> - login.do/, login.do/*
>>> Does anyone know why the above web.xml fragment should or
>> should
>>> not be allowed?
>>>
>>> Thanks
>>> Anita
>>>
>>>
>>>
>>>
>>
> ______________________________________________________________________
>>
>>> ______________
>>> Get your own web address.
>>> Have a HUGE year through Yahoo! Small Business.
>>> http://smallbusiness.yahoo.com/domains/?p=BESTDEAL
>>
>>
>
>
>
>
> ______________________________________________________________________
> ______________
> Do you Yahoo!?
> Everyone is raving about the all-new Yahoo! Mail beta.
> http://new.mail.yahoo.com
Re: Extension pattern, i.e. *.do in security constraints
Posted by anita kulshreshtha <a_...@yahoo.com>.
This was reported in
https://issues.apache.org/jira/browse/GERONIMO-1585#action_12436703
Please note that the presence/absence of authorization constraint
and a role ( same or different ) in second security constraint does
not make any difference.
Thanks
Anita
--- David Jencks <da...@yahoo.com> wrote:
> It looks to me as if it should be allowed. What is the error?
>
> thanks
> david jencks
>
> On Jan 19, 2007, at 7:41 PM, anita kulshreshtha wrote:
>
> > We do not allow this combintaion of URL patterns in
> > web-resource-collection. This is in line with JACC
> > http://java.sun.com/j2ee/1.4/docs/api/javax/security/jacc/
> > WebResourcePermission.html
> >
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>Admin Role</web-resource-name>
> > <url-pattern>*.do</url-pattern>
> > </web-resource-collection>
> > <auth-constraint>
> > <role-name>content-administrator</role-name>
> > </auth-constraint>
> > </security-constraint>
> >
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>Unrestricted
> ACCESS</web-resource-name>
> > <url-pattern>/login.do</url-pattern>
> > </web-resource-collection>
> > </security-constraint>
> >
> > The following url-patterns are allowed with *.do -
> > - /login/*, /login.do/* , i.e. path prefix patterns
> > - login.do, i.e. Exact patterns matching *.do
> > - login.do/, login.do/*
> > Does anyone know why the above web.xml fragment should or
> should
> > not be allowed?
> >
> > Thanks
> > Anita
> >
> >
> >
> >
>
______________________________________________________________________
>
> > ______________
> > Get your own web address.
> > Have a HUGE year through Yahoo! Small Business.
> > http://smallbusiness.yahoo.com/domains/?p=BESTDEAL
>
>
____________________________________________________________________________________
Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail beta.
http://new.mail.yahoo.com
Re: Extension pattern, i.e. *.do in security constraints
Posted by David Jencks <da...@yahoo.com>.
It looks to me as if it should be allowed. What is the error?
thanks
david jencks
On Jan 19, 2007, at 7:41 PM, anita kulshreshtha wrote:
> We do not allow this combintaion of URL patterns in
> web-resource-collection. This is in line with JACC
> http://java.sun.com/j2ee/1.4/docs/api/javax/security/jacc/
> WebResourcePermission.html
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Admin Role</web-resource-name>
> <url-pattern>*.do</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>content-administrator</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Unrestricted ACCESS</web-resource-name>
> <url-pattern>/login.do</url-pattern>
> </web-resource-collection>
> </security-constraint>
>
> The following url-patterns are allowed with *.do -
> - /login/*, /login.do/* , i.e. path prefix patterns
> - login.do, i.e. Exact patterns matching *.do
> - login.do/, login.do/*
> Does anyone know why the above web.xml fragment should or should
> not be allowed?
>
> Thanks
> Anita
>
>
>
> ______________________________________________________________________
> ______________
> Get your own web address.
> Have a HUGE year through Yahoo! Small Business.
> http://smallbusiness.yahoo.com/domains/?p=BESTDEAL