You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "Jeff Genender (JIRA)" <ji...@apache.org> on 2007/01/05 23:52:27 UTC
[jira] Reopened: (GERONIMO-2339) Empty auth-constraint tag in web
app security-constraint does not prevent access to resource
[ https://issues.apache.org/jira/browse/GERONIMO-2339?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jeff Genender reopened GERONIMO-2339:
-------------------------------------
Assignee: Jeff Genender (was: Vamsavardhana Reddy)
> Empty auth-constraint tag in web app security-constraint does not prevent access to resource
> --------------------------------------------------------------------------------------------
>
> Key: GERONIMO-2339
> URL: https://issues.apache.org/jira/browse/GERONIMO-2339
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security, Tomcat
> Affects Versions: 1.1.1
> Environment: Geronimo Tomcat 1.1.1
> Reporter: Vamsavardhana Reddy
> Assigned To: Jeff Genender
> Fix For: 1.1.2, 1.2, 2.0
>
> Attachments: g2339.war
>
>
> I have the following security constraint in web.xml
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>No Access</web-resource-name>
> <url-pattern>/forbidden/*</url-pattern>
> </web-resource-collection>
> <auth-constraint/>
> </security-constraint>
> This means /forbidden/* is not accessible by any user. The permission woks fine if the application is deployed in Geronimo Jetty distribution.
> If the application is deployed in Geronimo Tomcat distribution, URLs /forbidden/* are accessible by all users.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira