Win a copy of AWS Security this week in the Cloud/Virtualization forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Jeanne Boyarsky
  • Junilu Lacar
  • Henry Wong
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Tim Cooke
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Frits Walraven
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Piet Souris
  • salvin francis
  • fred rosenberger

conflicting auth-constraint

 
Ranch Hand
Posts: 80
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi.

I know that NO <auth-constraint> means everyone has access.

I also know that an empty <auth-constraint/> means nobody has access.

But what happens when two different <security-constraint> sections have the same <url-pattern> and one has no <auth-constraint> and the other has an empty <auth-constraint/>? See the code sample below for an example of what I mean...



In my tests I expected it to deny access, thinking that the "deny all" behaviour of the empty <auth-constraint/> should override the section with the "allow-all" missing <auth-constraint>.

However, to my surprise, I am able to access the specified <url-pattern>.

Is this the correct behaviour? Have I missed something?

John
 
Sheriff
Posts: 14691
16
Eclipse IDE VI Editor Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Are you using Tomcat ? There's a Tomcat quack concerning the combination of auth-constraint. It was discusses here (Tomcat 5.0.x), but it seems to be the same with Tomcat 5.5.
 
JohnWilliam Fitz
Ranch Hand
Posts: 80
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Christophe.

Yes, I am using Tomcat 5.something. Thanks for that info.

So, in spite of my real-world experience, if by some eery coincidence I get this as a question on the test, I should assume that an empty auth-constraint beats everything and denies access to all, right?

Thanks again!
John
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE VI Editor Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yep.

Merry Christmas
 
I just had the craziest dream. This tiny ad was in it.
Devious Experiments for a Truly Passive Greenhouse!
https://www.kickstarter.com/projects/paulwheaton/greenhouse-1
    Bookmark Topic Watch Topic
  • New Topic