You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Boulay Arnaud <ab...@sopragroup.com> on 2004/03/09 10:23:30 UTC
Realm url pattern mistake ?
Hello, I'm trying some web.xml security features and think that Catalina does'nt perform url pattern very well in some cases (whatever the kind of Realm).
For example :
Roles : Administrateur and DTN
protected ressources :
"/pages/secret1/*.jsp" reserved for Administrateur role
"/pages/*.jsp" reserved for Administrateur and DTN roles
When the current user has only DTN role, the first pattern is not filtered and so the ressource is not protected while if the first pattern is a straightforward ressource (say /pages/secret1/myfile.jsp) is correctly safe.
any idea ?
thanks in advance,
Arnaud
web.xml sample :
<security-constraint>
<web-resource-collection>
<web-resource-name>webapp2</web-resource-name>
<url-pattern>/pages/secret1/*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Administrateur</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>webapp1</web-resource-name>
<url-pattern>/pages/*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>DTN</role-name>
<role-name>Administrateur</role-name>
</auth-constraint>
</security-constraint>