Ilya,
The differences you are seeing with the handling of a security constraint
for the url-pattern "/index.jsp" is most probably due to the different way
Glassfish/Tomcat handles welcome files as compared to Jetty. When Jetty
receives a request for "/context-root/" and we look to see if there is a
security constraint that exactly matches as per the specification Section
13.8.3 (using the algorithm specified in 12.1). Because your constraint is
/index.jsp, this does not match. Jetty then dispatches the request to the
welcome file mechanism via a forward - as this is a dispatch, the security
constraints cannot be re-evaluated. Most probably Glassfish/Tomcat are
using a redirect instead of a forward, which will cause a 2nd request that
will be evaluated against the security constraints. If you wish, you can
configure Jetty to do this too: set the init-param "redirectWelcome" to
"true" for the DefaultServlet.
As for the empty string, this is mandated by the Servlet Specification
section 12.2:
"The empty string ("") is a special URL pattern that exactly maps to the
application's context root, i.e., requests of the form http://host:port
/<context-root>/.
In this case the path info is ’ / ’ and the servlet path and context
path is empty string (““)."
regards,
Jan
On Fri, 15 Mar 2019 at 00:37, Basin Ilya <[email protected]> wrote:
> In Glassfish and Tomcat the following constraint protects access for both
> "/index.jsp" and "/" URIs, but in Jetty the latter is unprotected:
>
> <security-constraint>
> <display-name>Restricted</display-name>
> <web-resource-collection>
> <web-resource-name>index</web-resource-name>
> <description/>
> <url-pattern>/index.jsp</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>remembermeclient</role-name>
> </auth-constraint>
> </security-constraint>
>
> On the other hand, Jetty seems to support the empty string url-pattern
> inside security-constraint, but Tomcat and Glassfish don't.
>
> Who's right?
> _______________________________________________
> jetty-users mailing list
> [email protected]
> To change your delivery options, retrieve your password, or unsubscribe
> from this list, visit
> https://www.eclipse.org/mailman/listinfo/jetty-users
--
Jan Bartel <[email protected]>
www.webtide.com
*Expert assistance from the creators of Jetty and CometD*
_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
