|
Mantis - Resin
|
|||||
| Viewing Issue Advanced Details | |||||
|
|
|||||
| ID: | Category: | Severity: | Reproducibility: | Date Submitted: | Last Update: |
| 1419 | minor | always | 10-19-06 10:33 | 05-30-07 10:09 | |
|
|
|||||
| Reporter: | sam | Platform: | |||
| Assigned To: | ferg | OS: | |||
| Priority: | normal | OS Version: | |||
| Status: | closed | Product Version: | 3.0.19 | ||
| Product Build: | Resolution: | fixed | |||
| Projection: | none | ||||
| ETA: | none | Fixed in Version: | 3.1.2 | ||
|
|
|||||
| Summary: | 0001419: multiple http-method security-constraints | ||||
| Description: |
(rep by K Fetterman) In the specification, it shows an example of the security constraints that are placed in web.xml. I have displayed it below: <security-constraint> <web-resource-collection> <web-resource-name>restricted methods</web-resource-name> <url-pattern>/*</url-pattern> <http-method>DELETE</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint/> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>wholesale</web-resource-name> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>SALESCLERK</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>Wholesale</realm-name> </login-config> <security-role> <role-name>SALESCLERK</role-name> </security-role> From what I read, the above configuration should prevent all DELETE and PUT requests and use Basic Auth to when performing GET and POST requests. Resin doesn't do this. Using the above configuration, it does not perform any authentication when performing a GET or POST request. Essentially, it ignores the second security constraint declaration and allows anyone to perform a get or post. I tried various combinations of above, but none work as expected. I ended up deleting the second security constraint and removing all <http-method> declarations so the security constraint applies to all methods. |
||||
| Steps To Reproduce: | |||||
| Additional Information: | |||||
| Relationships | |||||
| Attached Files: | |||||
| Notes | |||||
|
|
|||||
|
|
||||