Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

conflicting auth-constraint

 
JohnWilliam Fitz
Ranch Hand
Posts: 80
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi.

I know that NO <auth-constraint> means everyone has access.

I also know that an empty <auth-constraint/> means nobody has access.

But what happens when two different <security-constraint> sections have the same <url-pattern> and one has no <auth-constraint> and the other has an empty <auth-constraint/>? See the code sample below for an example of what I mean...



In my tests I expected it to deny access, thinking that the "deny all" behaviour of the empty <auth-constraint/> should override the section with the "allow-all" missing <auth-constraint>.

However, to my surprise, I am able to access the specified <url-pattern>.

Is this the correct behaviour? Have I missed something?

John
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE Ubuntu VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Are you using Tomcat ? There's a Tomcat quack concerning the combination of auth-constraint. It was discusses here (Tomcat 5.0.x), but it seems to be the same with Tomcat 5.5.
 
JohnWilliam Fitz
Ranch Hand
Posts: 80
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Christophe.

Yes, I am using Tomcat 5.something. Thanks for that info.

So, in spite of my real-world experience, if by some eery coincidence I get this as a question on the test, I should assume that an empty auth-constraint beats everything and denies access to all, right?

Thanks again!
John
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE Ubuntu VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yep.

Merry Christmas
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic