• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Understanding security constraint in ewb.xml

 
Ranch Hand
Posts: 34
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I've below snippet related to security constraint in my web.xml for my struts2 application. Can any one explain what it means & how does the security constraint works for below xml?



Also, we ran fortify tool & it reported that instead of blacklisting, we should put whitelist of tasks in this security constraint. Can any one tell me how to change above xml to provide whitelisting?

Thanks!
 
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
As it stands right now, you actually appear to have redundant rules. None of them grant access, and the master URL pattern "/*" would apply even if the earlier patterns had not already blocked
everything.

A whitelisting setup would defined URL patterns that determined what roles had authorization and permit access to them. Unmatched URLs would be attempted against each of the remaining patterns. If none matched, the master pattern would reject the request.
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic