> From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Subject: Re: Security Constraint conflict > > On 9/18/2009 9:47 PM, Bill Barker wrote: > > I haven't checked the Servlet 3 spec, but with earlier versions, > > the union process is to give you the *least* restrictive checking > > (i.e. you just have to pass one constraint to pass).
With one specific exception (see below). > Peter's original constraints never mentioned anything about the GET > method on /*. Is silence consent in this scenario? I would imagine > that explicitly prohibiting PUT, DELETE, TRACE, and OPTIONS does not > tacitly allow GET. :( Actually, the /* constraint would allow GET - as required by the spec - if it were the only constraint. I think what's going wrong is failure to follow this requirement from the spec (emphasis added): "The special case of an authorization constraint that *names no roles* shall combine with any other constraints to override their affects and cause access to be precluded." [Servlet Specification Version 2.5 MR6, SRV.12.7.1] Since neither constraint specifies any roles, I think the effect should be to prevent access to /both/ *.xhtml and the PUT, DELETE, TRACE, and OPTIONS methods. (I'm not a lawyer, but I frequently have to play one at work :-) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
