security, web.xml: multiple override wildcard

Mon, 12 Apr 2010 13:38:47 -0700 

i am combininig multiple <security-constraint> and wildcard pattern. The
result is a bit confusing.

only and single <security-constraint> def:
===
<security-constraint>
    <web-resource-collection>
      <web-resource-name>HTMLManger and Manager command</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
       <role-name>admin</role-name>
    </auth-constraint>
  </security-constraint>
===

Above gives me access to all ressources.

Now adding another constraint disallows the 'admin' to access ressource
/foo:
===
<security-constraint>
    <web-resource-collection>
      <web-resource-name>HTMLManger and Manager command</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
       <role-name>admin</role-name>
    </auth-constraint>
  </security-constraint>

    <security-constraint>
    <web-resource-collection>
      <web-resource-name>HTMLManger and Manager command</web-resource-name>
      <url-pattern>/foo</url-pattern>
    </web-resource-collection>
    <auth-constraint>
       <role-name>other</role-name>
    </auth-constraint>
  </security-constraint>
===

This is counterintuitive, I would still expect 'admin' to access all
ressources, because it has /* wildcard.

After debugging tomcat confirms, adding constraints is side-effecting
exististing constraints.

When reading the servlet specification SRV.12.8.1 it mentions an union
operation of multiple <security-constraint>. But to me above behaviour looks
more like a difference operation (the 2nd security constraint is removing a
right from the 1st one).

Or maybe I am reading something wrong...?

thanks.

-----
manuel aldana
aldana((at))gmx.de
software-engineering blog: http://www.aldana-online.de
-- 
View this message in context: 
http://old.nabble.com/security%2C-web.xml%3A-multiple-%3Csecurity-constraint%3E-override-wildcard-%3Cweb-resource-collection%3E-tp28219182p28219182.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to