That should work fine. /Content/*.do will still be considered an exact
pattern, and will be matched before the *.do extension pattern (no matter
what order they appear in the web.xml file). Only stuff that doesn't match
/Content/*.do but does match *.do will be secured in the example. You could
use the default mapping / to secure everything by default, and then
explicitly make /Content/*.do and perhaps /images/*, /styles/*, etc.
publicly available by adding url-patterns for them in the unsecured
web-resource-collection. You can put more than one url-mapping element in a
web-resource-collection, so it would be easy to do.
The Servlet Spec Version 2.3, sections SRV.12 and SRV.11.1 define the
matching behavior. They are pretty short and definitely worth a read for
anyone doing security stuff. I wrote some security constraints before I read
it, and I think I would have benefitted greatly from the short read had I
done it first.
Here are the most important parts (WITH MY OWN NOTES ADDED IN ALL CAPS;
SORRY FOR SHOUTING :-0):
Matching behavior for requests (from the servlet section, but the same rules
are applied for checking url-patterns for security):
1. The container will try to find an exact match of the path of the request
to the path of the servlet. A successful match selects the servlet. EXACT
PATTERNS WILL BE TRIED FIRST
2. The container will recursively try to match the longest path-prefix: This
is done by stepping down the path tree a directory at a time, using the '/'
character as a path separator. The longest match determines the servlet
selected. NOTE: 'longest' means the most path elements here -- '/a/b/c/d/*'
is longer than '/onereallylongdirectoryname/*' THEN THE PATH PATTERNS WILL
BE TRIED, STARTING WITH THE LONGEST ONES
3. If the last segment in the URL path contains an extension (e.g. .jsp),
the servlet container will try to match a servlet that handles requests for
the extension. An extension is defined as the part of the last segment after
the last '.' character. THEN THE EXTENSION PATTERNS WILL BE TRIED
4. If neither of the previous three rules result in a servlet match, the
container will attempt to serve content appropriate for the resource
requested. If a "default" servlet is defined for the application, it will be
used. AND FINALLY THE DEFAULT PATTERN WILL BE USED IF IT HAS BEEN SPECIFIED
OTHERWISE, NO MATCH -- ALLOW THE REQUEST
Classification rules for url-patterns in your web.xml file (path, extension,
default, exact):
1. A string beginning with a '/' character and ending with a '/*' postfix is
used for path mapping. PATH (INCLUDES '/*')
2. A string beginning with a '*.' prefix is used as an extension mapping.
EXTENSION
3. A string containing only the '/' character indicates the "default"
servlet of the application. In this case the servlet path is the request URI
minus the context path and the path info is null. DEFAULT
4. All other strings are used for exact matches only. IF IT DOESN'T MATCH
THE DEFINITIONS ABOVE, YOUR PATTERN IS AN EXACT PATTERN
-Max
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, April 03, 2003 10:33 PM
Subject: RE: How to do authentication in different way for different action
classes
Would this be valid then:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured Resources</web-resource-name>
<url-pattern>*.do</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>strutsuser</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Public Resources</web-resource-name>
<url-pattern>/Content/*.do</url-pattern>
</web-resource-collection>
</security-constraint>
Where /Content is a sub directory of the ROOT directory, and that
subDirectory is _NOT_ secured, but everything else _IS_ secured?
This way I do not have to put all my secured pages under /private/* and I
can just intermingle them.
-----Original Message-----
From: Max Cooper [mailto:[EMAIL PROTECTED]
Sent: Friday, April 04, 2003 3:25 AM
To: Struts Users Mailing List; [EMAIL PROTECTED]
Subject: Re: How to do authentication in different way for different
action classes
You should keep *.do for your servlet mapping.
Assuming you are using container-managed security, you can do something like
this for your security constraints:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured Resources</web-resource-name>
<url-pattern>*.do</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>strutsuser</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Public Resources</web-resource-name>
<url-pattern>/welcome.do</url-pattern>
</web-resource-collection>
</security-constraint>
The servlet spec requires that "exact" patterns like /welcome.do should be
matched before "extension" patterns like *.do. So, requests for /welcome.do
will match the security constraint that doesn't have any role requirements,
rather than the one that does.
-Max
----- Original Message -----
From: "Rajendra Kadam" <[EMAIL PROTECTED]>
To: "Struts-User" <[EMAIL PROTECTED]>
Sent: Thursday, April 03, 2003 4:23 PM
Subject: How to do authentication in different way for different action
classes
> Hi,
>
> In our application,
>
> I don't want to do authentication to first action class ( welcome.do )
> But at the same time, I want to do authetication for all other action
> classes.
>
> Initally my web.xml was looking like this
>
> <servlet>
> <servlet-name>action</servlet-name>
>
> <servlet-class>org.apache.struts.action.ActionServlet</servlet-class>
> ......
> </servlet>
>
> <servlet-mapping>
> <servlet-name>action</servlet-name>
> <url-pattern>*.do</url-pattern>
> </servlet-mapping>
>
> But the disadvantage of doing this way, is that Authentication Dialog
> box comes up for welcome.do also. Which I don't want.
>
> Hence right now I'm putting all action classes for which authentication
> is required into url-pattern as shown below :
>
> <servlet-mapping>
> <servlet-name>action</servlet-name>
> <url-pattern>/abc.do</url-pattern>
> <url-pattern>/xya.do</url-pattern>
> <url-pattern>/sdabc.do</url-pattern>
> ......
> </servlet-mapping>
>
> Since I had not mentioned, welcome.do in above place, it doesn't do
> authentication for it.
>
> Dis-advantage of doing this is everytime I added new Action class, I
> have to make the entry into this url-pattern.
>
> Is there any better way of doing this ?
>
> TIA,
> raju
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Visit our website at http://www.ubswarburg.com
This message contains confidential information and is intended only
for the individual named. If you are not the named addressee you
should not disseminate, distribute or copy this e-mail. Please
notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses. The sender therefore
does not accept liability for any errors or omissions in the contents
of this message which arise as a result of e-mail transmission. If
verification is required please request a hard-copy version. This
message is provided for informational purposes and should not be
construed as a solicitation or offer to buy or sell any securities or
related financial instruments.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
