You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by Jian Liao <no...@gmail.com> on 2005/12/06 12:10:50 UTC
JACC permission check issue
Hi all,
I defined two security constraints in web.xml as following:
<!-- Protect LogInRedirectory.jsp. This will require a login when called
-->
<security-constraint>
<web-resource-collection>
<web-resource-name>Login</web-resource-name>
<url-pattern>/login/redirector</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<!-- securing the ManagerServlet -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Manager</web-resource-name>
<url-pattern>/manager/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
It will create a WebResourcePermission instance with
"/:/login/redirector:/manager/*" as its name and its URLPatternSpec
instance's pattern, this WebResourcePermission instance will be contained
by PolicyConfigurationGeneric.unchecked .
After the successfully login, a sendRedirect("/login/redirector") occured.
A WebResourcePermission instance will be created like this: "new
WebResourcePermission(request)" in class: TomcatGeronimoRealm line 200. So
WebResourcePermission instance will use "/login/redirector" to construct its
URLPatternSpec, then URLPatternSpec constructor will initialize its "first"
member variable with "/login/redirector", is that what it expect? (See line:
45 - 46 in URLPatternSpec.java)
Finally, I will fail on line: 128, URLPatternSpec.java. Becuase the
URLPattern instance in qualifiers will match the "URLPatternSpec.first"
which construct above.
Could someone tell how should I config my security-constraint or is that a
bug?
- Jian Liao