On Jan 13, 2006, at 8:18 AM, Jian Liao wrote: Hi all,
I am working on integration Jetspeed 2 with Geronimo(Tomcat container). I have the following configuration in my j2 main web.xml.
- <web-resource-collection> <web-resource-name>Login </web-resource-name> <url-pattern>/login/redirector </url-pattern> </web-resource-collection> <role-name>*</ role-name> </auth-constraint>
</security-constraint >
But there is no role define in this web.xml.
Should it have a WebResourcePermission("/login/redirector", "GET,POST,PUT,DELETE,HEAD,OPTIONS,TRACE") to be added to unchecked policy statements?
I think this special case is equals to "A WebResourcePermission must be added to the unchecked policy statements for each distinct url-pattern occurring in the security-constraint elements that do not contain an auth-constraint."
I did read jacc spec SRV. 3.1.3.1 and servlet 2.4 spec SRV.12.8 and found nothing about this case(correct me if I am wrong). When I run this configuration on Tomcat 5.5.12, everything is ok, Tomcat treat * as allRole even there is no role defined in web.xml and hasResourcePermission() always return true. But when I run this with Geronimo SVN head, it always return false.
Any help would be appreciated!
I'm pretty sure our behavior is correct. The paragraph previous to the one you quote says:
When an auth-constraint names the reserved role-name, "*", all of the patterns in the containing security-constraint must be combined with all of the roles defined in the web application.
Therefore, I think that if there are no roles defined in the web application, you have effectively made this an excluded resource. I think if tomcat standalone has different behavior, it is wrong.
thanks david jencks
|
