DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10595>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10595 Security Constraints not processed according to spec. ------- Additional Comments From [EMAIL PROTECTED] 2002-12-06 09:40 ------- According to section 12.8 of the Servlet 2.3 spec "All request that contain a request path that matches a URL pattern described in the web resource collection is subject to the contraint" there have all security-contraints to be processed. The following example works correct in that given order, but not in that reverse, which should according to the spec: <security-constraint> <web-resource-collection> <web-resource-name>Privater RM Bereich</web-resource-name> <url-pattern>/rmonly/talentbank/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>UWGL.PrivateArea.TB</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Privater RM Bereich</web-resource-name> <url-pattern>/rmonly/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>UWGL.PrivateArea</role-name> </auth-constraint> </security-constraint> Comment: It looks like the container is checking only the first contraint matching the URL and granting access, if that contraint is passed. Changing the order of the security-contraints shouldn't have an effect. If someone has the role "UWGL.PrivateArea" but not "UWGL.PrivateArea.TB" he shouldn't be able to access the resources for "UWGL.PrivateArea.TB". If you change the order of the constraints in the example above, Tomcat will grant access to that resources. This is a critical security bug, I think. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
