I defined two security constraints in web.xml as following:
<!-- Protect LogInRedirectory.jsp. This will require a login when called -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Login</web
-resource-name>
<url-pattern>/login/redirector</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<!-- securing the ManagerServlet -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Manager</web-resource-name>
<url-pattern>/manager/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
It will create a WebResourcePermission instance with "/:/login/redirector:/manager/*" as its name and its URLPatternSpec instance's pattern, this WebResourcePermission instance will be contained by PolicyConfigurationGeneric.unchecked .
After the successfully login, a sendRedirect("/login/redirector") occured.
A WebResourcePermission instance will be created like this: "new WebResourcePermission(request)" in class: TomcatGeronimoRealm line 200. So WebResourcePermission instance will use "/login/redirector" to construct its URLPatternSpec, then URLPatternSpec constructor will initialize its "first" member variable with "/login/redirector", is that what it expect? (See line: 45 - 46 in URLPatternSpec.java)
Finally, I will fail on line: 128, URLPatternSpec.java. Becuase the URLPattern instance in qualifiers will match the "URLPatternSpec.first" which construct above.
Could someone tell how should I config my security-constraint or is that a bug?
- Jian Liao
<url-pattern>/login/redirector</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<!-- securing the ManagerServlet -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Manager</web-resource-name>
<url-pattern>/manager/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
It will create a WebResourcePermission instance with "/:/login/redirector:/manager/*" as its name and its URLPatternSpec instance's pattern, this WebResourcePermission instance will be contained by PolicyConfigurationGeneric.unchecked .
After the successfully login, a sendRedirect("/login/redirector") occured.
A WebResourcePermission instance will be created like this: "new WebResourcePermission(request)" in class: TomcatGeronimoRealm line 200. So WebResourcePermission instance will use "/login/redirector" to construct its URLPatternSpec, then URLPatternSpec constructor will initialize its "first" member variable with "/login/redirector", is that what it expect? (See line: 45 - 46 in URLPatternSpec.java)
Finally, I will fail on line: 128, URLPatternSpec.java. Becuase the URLPattern instance in qualifiers will match the "URLPatternSpec.first" which construct above.
Could someone tell how should I config my security-constraint or is that a bug?
- Jian Liao
