Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

"auth-constraint" tag

 
Mahendar Reddy
Ranch Hand
Posts: 73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi friends....How do u do?

I have a doubt regagrding security....

When we specify following two <auth-constraint> tags for a single web resource what happends?

1)<auth-constarint/>
2)<auth-constarint>*</auth-constarint>

In HFSJ they r saying that nobody can access the resource when one of them is <auth-constarint/>, but it is giving access to all....i.e it is always the union of two things...

What's your opinion friends?
[ March 23, 2006: Message edited by: Mahendar Reddy ]
 
Narendra Dhande
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

Have you tested it. if yes, can you place full <security-constraint> entry from your web.xml here.

Thanks
 
Steven Colley
Ranch Hand
Posts: 290
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

Isn�t it supposed to work fine only when you have two <web-resource.collection> tags specified rather than one?

tks.
 
Narendra Dhande
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

Basically container union all the roles under <auth-constraint> for the matching URL and http method, inrespective of the <web-resource-collection>. The Special case is for the matching resource, if one of the <auth-constraint> is empty i.e. there is entry <auth-constraint/>, then the access is precluded for all users.

Thanks
 
Mahendar Reddy
Ranch Hand
Posts: 73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Narendra...

Here is the web.xml :--


<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">

<servlet>

<servlet-class>servlet1</servlet-class>
<servlet-name>s1</servlet-name>
<init-param>
<param-name>param10</param-name>
<param-value>param10</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>s1</servlet-name>
<url-pattern>/el</url-pattern>
</servlet-mapping>

<servlet>
<servlet-name>s2</servlet-name>
<servlet-class>jstl</servlet-class>
</servlet>

<servlet-mapping>
<servlet-name>s2</servlet-name>
<url-pattern>/jstl</url-pattern>
</servlet-mapping>

<servlet>
<servlet-name>test1</servlet-name>
<jsp-file>/test1.jsp</jsp-file>
<init-param>
<param-name>param1</param-name>
<param-value>JSPparam1</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>test1</servlet-name>
<url-pattern>/test1.jsp</url-pattern>
</servlet-mapping>

<context-param>
<param-name>param2</param-name>
<param-value>param12</param-value>
</context-param>

<!-- Security Issues-->
<security-role>
<role-name>admin</role-name>
</security-role>

<security-constraint>
<web-resource-collection>
<url-pattern>/el/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<web-resource-name>WR1</web-resource-name>
</web-resource-collection>

<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>

</security-constraint>

<security-constraint>
<web-resource-collection>
<url-pattern>/el/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<web-resource-name>WR2</web-resource-name>
</web-resource-collection>

<auth-constraint/>

</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
</login-config>


</web-app>



It is giving access to 'admin' role...

Jsut concentrate on security tags...By the way I am using Tomcat 5.0

Thanks for ur reply...
[ March 27, 2006: Message edited by: Mahendar Reddy ]
 
P Rathi
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have got the same questions, anybody knows answer to this ?
Who would have access ? ALL or NONE ?
 
Steven Colley
Ranch Hand
Posts: 290
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Theorically NONE cause of "<auth-constraint />", .

Did you give a try to use another <auth-method> value for <login-config> issue?

regargs,
 
parra matta
Ranch Hand
Posts: 40
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

Were you saying that it gave the admin access to /el/*?
 
Narendra Dhande
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Mahender

I also tested the same on tomcat 5.5.7. It is giving access to admin user.

Also I tested it on the Sun Java System Application Server 8.1. It require the following changes in your web.xml, as it validate the web.xml and the order of subelement under <security-constarint> is important.



In this testing it is not even giving me the Basic auth screen to enter the username and password. It only give the forbidden message for this resourse.
http://localhost:6060/test1/el

For the another resources not matching the above url-pattern it is working fine.

So, I think it is tomcat problem. Our assumption that id <auth-constraint/> occurs, then the access is forbidden to all user for that resource is true.

I request someone to check on other commercial platform and comment on it.

Thanks
[ March 27, 2006: Message edited by: Narendra Dhande ]
 
Steven Colley
Ranch Hand
Posts: 290
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Folks, I was taking a look at the Servlet Spec and noticed that there is a sample the guys are using the same name for <web-resource-NAME> when they specify different <auth-constraint> tags for two <security-constranit>.

Source: Servlet Spec - Security Charpter (Topic: "Combining Constraints"), page 98 and 99.

What do u think to give it a try?

regards,
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic