Greg Wilkins wrote:
> Craig R. McClanahan wrote:
>
> > The workaround I suggest is to use URL patterns like "/*", or directory names
> > with only digits in them, if this is an issue for your application.
>
> I agree here, but there is still more spec clarifications required
> before you can specify portable security in a web application:
>
Note: any suggestions for spec clarifications should be sent to the email address
on the front of the spec ([EMAIL PROTECTED]) to ensure that they get
formally addressed.
>
> 0) As methods such as PUT, MOVE and DELETE are controlled by security
> constraints, then this may be an issue for more applications than
> you'd think.
>
> If you deploy with no constraints at all in your web.xml (or the
> default web.xml), then the spec does imply that you will allow PUTs
> to your site.
>
That depends totally on whether or not the servlet executing this request supports
PUT. Unless it does (i.e. you have a doPut() method, or you override service() and
check the request method yourself), a PUT is not going to modify your web site --
security constraints or not. Same for the other methods.
>
> This probably is not a current problem, as many servers either don't
> support PUTs or disable them with a non-standard mechanism. But
> you have to think about it if you want your web app is going
> to be deployed on unknown servers.
>
> 1) It would be nice to specify a restrictive default constraint, and
> then relax it for specific URL mappings. But the spec does not say
> that the most specific security constraint applies.
> But that is probably a safe bet to make?
>
> 2) "/*" is not well defined in the spec, as it's obvious meaning
> is overloaded by the definition of "/" as the default mapping,
> so really "/*" == "/".
>
This is not correct at all. The "/*" mapping means "use this mapping for every
request processed by this webapp." The "/" mapping means "use this mapping *only*
if no other mapping matches".
> Thus if you restrict access to "/*" for a web app, then there
> is no mapping available relax that restriction
> on the root URL "/". Thus are request to http://host/context/
> will always be treated with the default security constraint.
>
See the servlet spec for the details.
>
> 3) The spec does not define a relaxed constraint. How is the
> following constraint interpreted?
>
> <security-constraint>
> <web-resource-collection>
> <url-pattern>/blah/*</url-pattern>
> </web-resource-collection>
> </security-constraint>
>
> Does it mean "no access on /blah/*" or "no constraints on /blah/*".
> Jetty currently assumes the former to be safe and uses a special
> role name NONE (non-standard) to specify relax access:
>
>
> <security-constraint>
> <web-resource-collection>
> <url-pattern>/public/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>NONE</role-name>
> </auth-constraint>
> </security-constraint>
>
> --
> Greg Wilkins<[EMAIL PROTECTED]> GB Phone: +44-(0)2074394045
> Mort Bay Consulting Australia and UK. Mbl Phone: +44-(0)7775534369
> http://www.mortbay.com AU Phone: +61-(0)2 99772395
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html