You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/12/29 13:06:23 UTC
DO NOT REPLY [Bug 25796] New: -
Multiple security-contraint entries in web.xml lead to too-restrictive behaviour
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25796>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25796
Multiple security-contraint entries in web.xml lead to too-restrictive behaviour
Summary: Multiple security-contraint entries in web.xml lead to
too-restrictive behaviour
Product: Tomcat 5
Version: 5.0.16
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: Normal
Priority: Other
Component: Catalina
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: darren.hague@axonglobal.com
I have a web.xml containing two security constraints:
<security-constraint>
<web-resource-collection>
<web-resource-name>PublicPages</web-resource-name>
<url-pattern>/AccountMan.do</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>UserPages</web-resource-name>
<url-pattern>*.do</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>xsap_ebiz_user</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
The idea is that all *.do URLs are protected, with the exception of
AccountMan.do which is publicly visible (no auth-constraint).
This works fine on Tomcat 4.1-29 and on SAP J2EE Engine 6.20.
In Tomcat 5.0-16 and 5.0-14 (the only releases I have tested), attempting to
access AccountMan.do brings up the login page instead of going straight to the
page itself (a Struts forward to a Tiles definition).
This behaviour contradicts the Servlet 2.4 spec, SRV.12.8.1 Combining
Constraints:
"A security constraint that does not contain an authorization constraint shall
combine with authorization constraints that name or imply roles to allow
unauthenticated access."
Cheers,
Darren Hague
P.S. This is my first bugzilla report - please let me know if I could have done
anything better.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org