[jira] Updated: (GERONIMO-5578) incorrect behaviour of security-constraint configuration in web.xml
[ https://issues.apache.org/jira/browse/GERONIMO-5578?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Han Hong Fang updated GERONIMO-5578: Attachment: web7.xml Forgot to provide the web7.xml used in test case. > incorrect behaviour of security-constraint configuration in web.xml > > > Key: GERONIMO-5578 > URL: https://issues.apache.org/jira/browse/GERONIMO-5578 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: Tomcat >Affects Versions: 3.0 >Reporter: Han Hong Fang >Assignee: Han Hong Fang > Attachments: GERONIMO-5578.patch, web7.xml > > > When have following configuration in web.xml, GET and POST can be accessed by > both "RoleA" and "RoleB". > > > resource2 > /SampleServlet2 > GET > > > RoleA > > > > > > resource3 > /SampleServlet2 > POST > > > RoleB > > -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Updated: (GERONIMO-5578) incorrect behaviour of security-constraint configuration in web.xml
[ https://issues.apache.org/jira/browse/GERONIMO-5578?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Han Hong Fang updated GERONIMO-5578: Attachment: GERONIMO-5578.patch A WebResourcePermission must be added to the corresponding role for each distinct combination in the cross-product of url-pattern and role-name occurring in the security-constraint elements that contain an auth-constraint naming roles. (ref to chapter 3.1.3.2 of JACC v1.4 spec). The problem existed becaused all role-name shared a WebResourcePermission for each url-pattern. The patch is provided together with junit test case. Please help to review. Thanks! > incorrect behaviour of security-constraint configuration in web.xml > > > Key: GERONIMO-5578 > URL: https://issues.apache.org/jira/browse/GERONIMO-5578 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: Tomcat >Affects Versions: 3.0 >Reporter: Han Hong Fang >Assignee: Han Hong Fang > Attachments: GERONIMO-5578.patch > > > When have following configuration in web.xml, GET and POST can be accessed by > both "RoleA" and "RoleB". > > > resource2 > /SampleServlet2 > GET > > > RoleA > > > > > > resource3 > /SampleServlet2 > POST > > > RoleB > > -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.