• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

question about * and empty secutiry constraint

 
liao Yang
Ranch Hand
Posts: 36
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi

<auth-constraint>
<role-name>*<role-name>
</auth-constraint>

and

<auth-constraint/>

If the two apply to the same web resource collection and http method, will all the roles allowed to access or no roles allowed to access?

I think that no user is allowed to access, since the spec says: "The special case of an authorization constraint that names no roles shall combine with any other constraints to override their affects and cause access to be precluded."

Am I right?

Thanks
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE Ubuntu VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, you're right.
 
liao Yang
Ranch Hand
Posts: 36
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Christophe

Here is another one, the combination of <auth-constraint/> with no <auth-constraint>.

The spec and HFSJ both mentioned the combination of <auth-constraint/> with others and empty <auth-constraint> with others, but didn't mention which wins when these two are combined.

I tested in tomcat 5.5, the result is that the request is allowed without authentication.

Anyone can confirm this is the behaviour of the spec? Did I miss something form the spec?

Thank you.
 
liao Yang
Ranch Hand
Posts: 36
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sorry, when I say "empty <auth-constraint>" I mean there is no <auth-constraint> in a <security-constraint>.

I also tested <auth-constraint/> with <auth-constraint>*</auth-constraint> combination, the result is that the request is refused after .authentication. So NO <auth-constraint> is not equivalent to <auth-constraint>*</auth-constraint> when combined to <auth-constraint/>.
 
Consider Paul's rocket mass heater.
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic