You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/12/29 13:06:23 UTC

DO NOT REPLY [Bug 25796] New: - Multiple security-contraint entries in web.xml lead to too-restrictive behaviour

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25796>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25796

Multiple security-contraint entries in web.xml lead to too-restrictive behaviour

           Summary: Multiple security-contraint entries in web.xml lead to
                    too-restrictive behaviour
           Product: Tomcat 5
           Version: 5.0.16
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: darren.hague@axonglobal.com


I have a web.xml containing two security constraints:
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>PublicPages</web-resource-name>
            <url-pattern>/AccountMan.do</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>UserPages</web-resource-name>
            <url-pattern>*.do</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>xsap_ebiz_user</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

The idea is that all *.do URLs are protected, with the exception of 
AccountMan.do which is publicly visible (no auth-constraint). 

This works fine on Tomcat 4.1-29 and on SAP J2EE Engine 6.20. 

In Tomcat 5.0-16 and 5.0-14 (the only releases I have tested), attempting to 
access AccountMan.do brings up the login page instead of going straight to the 
page itself (a Struts forward to a Tiles definition).

This behaviour contradicts the Servlet 2.4 spec, SRV.12.8.1 Combining 
Constraints:
"A security constraint that does not contain an authorization constraint shall 
combine with authorization constraints that name or imply roles to allow 
unauthenticated access."

Cheers,
Darren Hague

P.S. This is my first bugzilla report - please let me know if I could have done 
anything better.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org