• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Results of security testing....

 
janne jounivich
Ranch Hand
Posts: 45
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Did some testing with Tomcat having DD declared as follows...

First did I the test with below declared elements.

<security-constraint>
<web-resource-collection>
<web-resource-name>AName</web-resource-name>
<url-pattern>*.do</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Guest</role-name>
</auth-constraint>
</security-constraint>

<security-role>
<role-name>Guest</role-name>
</security-role>

<login-config>
<auth-method>BASIC</auth-method>
</login-config>

resulting in with right username and password
ACCESS to the resource (so far everything's ok)

but then I did my second test and in which I DIDN'T declare
any http-method as follows

<security-constraint>
<web-resource-collection>
<web-resource-name>AName</web-resource-name>
<url-pattern>*.do</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Guest</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>Guest</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>

but still I could access to the resource with right
username and password. I am starting to feel dizzy
as HFS says and claims that this shouldn't be possible.
It would be interesting to know the truth.

JR

[ May 10, 2006: Message edited by: janne RockGulf ]
[ May 10, 2006: Message edited by: janne RockGulf ]
 
Charles Lyons
Author
Ranch Hand
Posts: 836
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am starting to feel dizzy as HFS says and claims that this shouldn't be possible. It would be interesting to know the truth.
If no <http-method> elements are declared in the DD, the default is to apply the security-constraint to all HTTP methods - hence what you're experiencing. I tend to always leave out the <http-method> as it is convenient to have security imposed on all methods, unless you want to secure only PUT and DELETE for instance.
 
Vivek Kinra
Ranch Hand
Posts: 66
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If no <http-method> elements are declared in the DD, the default is to apply the security-constraint to all HTTP methods - hence what you're experiencing.


This is what Janne said but still able to get the resources with username and password???
 
Charles Lyons
Author
Ranch Hand
Posts: 836
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This is what Janne said but still able to get the resources with username and password???

I'm afraid I don't understand then... of course you should be able to use the same username and password because the security constraint is, in effect, the same. Please clarify your problem.
 
Marc Peabody
pie sneak
Sheriff
Posts: 4727
Mac Ruby VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well, janne, I told you what happens when no http-method tags are present, Charles told you what happens, and Tomcat has told you what happens.

I don't have HF right in front of me, but I would assume you're taking the passage out of context. The statement would only be true if no roles were specified in the constraint.
 
Marc Peabody
pie sneak
Sheriff
Posts: 4727
Mac Ruby VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Now that I have my HFSJ in front of me, I'm not finding anywhere in the book that contradicts what we've been saying.

The note on the bottom of 660 reads:
"We left off <http-method> so that ALL HTTP Methods are constrained to be accessible only to those in the Admin role."
 
janne jounivich
Ranch Hand
Posts: 45
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanx

JR
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic