You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Boulay Arnaud <ab...@sopragroup.com> on 2004/03/09 10:23:30 UTC

Realm url pattern mistake ?

Hello, I'm trying some web.xml security features and think that Catalina does'nt perform url pattern very well in some cases (whatever the kind of Realm).

For example :
Roles      : Administrateur and DTN
protected ressources :
             "/pages/secret1/*.jsp" reserved for Administrateur role
             "/pages/*.jsp"         reserved for Administrateur and  DTN roles

When the current user has only DTN role, the first pattern is not filtered and so the ressource is not protected while if the first pattern is a straightforward ressource (say /pages/secret1/myfile.jsp) is correctly safe.
any idea ?
thanks in advance,
Arnaud

web.xml sample :

<security-constraint>
      <web-resource-collection>
        <web-resource-name>webapp2</web-resource-name>
        <url-pattern>/pages/secret1/*.jsp</url-pattern>
      </web-resource-collection>
      <auth-constraint>
           <role-name>Administrateur</role-name>
      </auth-constraint>
 </security-constraint>

 <security-constraint>
      <web-resource-collection>
        <web-resource-name>webapp1</web-resource-name>
        <url-pattern>/pages/*.jsp</url-pattern>
      </web-resource-collection>
      <auth-constraint>
           <role-name>DTN</role-name>
           <role-name>Administrateur</role-name>
      </auth-constraint>
 </security-constraint>