RE: Request not forwarded to login page with security-constraintafter session time-out

["Caldarale, Charles R" <Ch...@unisys.com>]

> From: Mark Thomas [mailto:markt@apache.org]
> Subject: Re: Request not forwarded to login page with
> security-constraintafter session time-out
>
> If "*" is all roles defined and you have no roles
> defined then you are basically preventing anyone
> from accessing that resource

That's not quite what it says.  The actual wording:

"The special role name "*" is a shorthand for all role names defined in the deployment descriptor.  An authorization constraint that names no roles indicates that access to the constrained requests must not be permitted under any circumstances."

In the OP's case, the authorization constraint does name roles, albeit just the shorthand version.  What the spec is not explicit about is the combination of "*" with an empty or non-existant <security-role> list.  The OP (and others) have interpreted the "*" and no <security-role> list to indicate no roles are needed for authorization.  For all we know, the intent of the spec writers may have been to allow that.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Request not forwarded to login page with security-constraintafter session time-out

[Mark Thomas <ma...@apache.org>]

Caldarale, Charles R wrote:
>> From: Mark Thomas [mailto:markt@apache.org]
>> Subject: Re: Request not forwarded to login page with
>> security-constraintafter session time-out
>>
>> If "*" is all roles defined and you have no roles
>> defined then you are basically preventing anyone
>> from accessing that resource
> 
> That's not quite what it says.  The actual wording:
> 
> "The special role name "*" is a shorthand for all role names defined in the deployment descriptor.  An authorization constraint that names no roles indicates that access to the constrained requests must not be permitted under any circumstances."

I think the current implementation follows from that. "*" is all roles
defined. If there no roles defined then the auth constraint names no
roles and all users are blocked.

> In the OP's case, the authorization constraint does name roles, albeit just the shorthand version.

"*" makes no sense in
<security-role><role-name>*</role-name></security-role>

I suspect what Tomcat is doing is creating a role named "*". Since no
user has been assigned to that role, no user is permitted access.

What the spec is not explicit about is the combination of "*" with an
empty or non-existant <security-role> list.

I think it is quite clear. It means no-one gets access.

The OP (and others) have interpreted the "*" and no <security-role> list
to indicate no roles are needed for authorization.

Indeed. So did Tomcat for many versions.

For all we know, the intent of the spec writers may have been to allow that.

I know that that was not the intent. The current behaviour was the intent.

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org