• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

conflicting auth-constraint

 
Ranch Hand
Posts: 80
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi.

I know that NO <auth-constraint> means everyone has access.

I also know that an empty <auth-constraint/> means nobody has access.

But what happens when two different <security-constraint> sections have the same <url-pattern> and one has no <auth-constraint> and the other has an empty <auth-constraint/>? See the code sample below for an example of what I mean...



In my tests I expected it to deny access, thinking that the "deny all" behaviour of the empty <auth-constraint/> should override the section with the "allow-all" missing <auth-constraint>.

However, to my surprise, I am able to access the specified <url-pattern>.

Is this the correct behaviour? Have I missed something?

John
 
Sheriff
Posts: 14691
16
Eclipse IDE VI Editor Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Are you using Tomcat ? There's a Tomcat quack concerning the combination of auth-constraint. It was discusses here (Tomcat 5.0.x), but it seems to be the same with Tomcat 5.5.
 
JohnWilliam Fitz
Ranch Hand
Posts: 80
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Christophe.

Yes, I am using Tomcat 5.something. Thanks for that info.

So, in spite of my real-world experience, if by some eery coincidence I get this as a question on the test, I should assume that an empty auth-constraint beats everything and denies access to all, right?

Thanks again!
John
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE VI Editor Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yep.

Merry Christmas
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic