Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Question about security constraints

 
Ernesto Leyva
Ranch Hand
Posts: 62
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Question:

if I have these security settings in the DD:

<security-role>
<role-name>role1</role-name>
<role-name>role2</role-name>
</security-role>

<security-constraint>
<web-resource-collection>
<web-resource-name>c1</web-resource-name>
<url-pattern>*.do</url-pattern>
<auth-constraint>*</auth-constraint>
</web-resource-collection>
<security-constraint>

then I have....

<security-constraint>
<web-resource-collection>
<web-resource-name>c2</web-resource-name>
<url-pattern>*.do</url-pattern>
<auth-constraint />
</web-resource-collection>
<security-constraint>

what roles are valid and what roles are not?
 
Radhika Gokhale
Ranch Hand
Posts: 40
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

If we have more than one security constraints matching for a url pattern then the rules are follows:

1. Union of individual constraints is taken.
2. If one of the constraints is a "*" then all the roles have access to the given methods.
3. If we have one empty auth constraint then none of the roles will have access to the given method.

In your question since you have an empty auth-constraint in the second one hence none of the roles will have access to the given methods.

Regards,
Radhika
 
Ernesto Leyva
Ranch Hand
Posts: 62
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So this means the

<auth-constraint />

overrides the

<auth-constraint>*</auth-constraint>

Thanks
 
Ernesto Leyva
Ranch Hand
Posts: 62
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I was reading the spec and I just want to confirm.
Check 1st and 2nd security constraints the first one
will require anyone to authenticate (username/password)
however the second one grant unathenticated access to
all resources. In this case the second constraint will
overlap the first one invalidating the auth-constraint
for role1 someone knows if this is right?


<security-role>
<role-name>role1</role-name>
<role-name>role2</role-name>
</security-role>

<security-constraint>
<web-resource-collection>
<web-resource-name>c1</web-resource-name>
<url-pattern>*.do</url-pattern>
<auth-constraint>role1</auth-constraint>
</web-resource-collection>
<security-constraint>

then I have....

<security-constraint>
<web-resource-collection>
<web-resource-name>c2</web-resource-name>
<url-pattern>*.do</url-pattern>
</web-resource-collection>
<security-constraint>
 
Richard Rex
Ranch Hand
Posts: 100
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Ernesto,

Since in the second you didn't specify an <auth-constraint> tag, then this allows all users to access the resource which is directly opposite if you put an empty body <auth-constraint> tag.

Hope this helps.
 
Narendra Dhande
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I think there is somthing wrong in your web.xml.

<security-role>
<role-name>role1</role-name>
<role-name>role2</role-name>
</security-role>

This should be
<security role>
<role-name>role1</role-name>
</security-role>

<security-role>
<role-name>role2</role-name>
</security-role>


<security-constraint>
<web-resource-collection>
<web-resource-name>c1</web-resource-name>
<url-pattern>*.do</url-pattern>
<auth-constraint>role1</auth-constraint>
</web-resource-collection>
<security-constraint>


this should be

<security-constraint>
<web-resource-collection>
<web-resource-name>c1</web-resource-name>
<url-pattern>*.do</url-pattern>
<auth-constraint>
<role-name>role1</role-name>
</auth-constraint>
</web-resource-collection>
<security-constraint>

For the * in auth-constriant

<security-constraint>
<web-resource-collection>
<web-resource-name>c1</web-resource-name>
<url-pattern>*.do</url-pattern>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</web-resource-collection>
<security-constraint>

If the <auth-constarint/> occurs, then the access is denied for all the maching urls and http methods though it were defined under different web-resource-collection with any auth-constraint for matchong url and http-method.

Hope it help you

Thanks
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic