This week's book giveaway is in the JavaScript forum.
We're giving away four copies of Cross-Platform Desktop Applications: Using Node, Electron, and NW.js and have Paul Jensen on-line!
See this thread for details.
Win a copy of Cross-Platform Desktop Applications: Using Node, Electron, and NW.js this week in the JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Web Security, when <http-method> no defined, still servlet getting control  RSS feed

 
Rajesh Karanam
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello All,

I'm learning declarative websecurity and started with a small application to get hands dirty. As per the documentation, I understand that if <http-method> is absent, then the security constraint is applied to all HTTP methods.

Now my web.xml is declared as


and declared the role in tomcat-users.xml as below

<role rolename="restricted"/>
<user password="restricted" roles="restricted" username="restricted"/>

and my servlet is as below



and my expectation is when I hit http://localhost:8080/MyApp/Restricted I expect to get a dialog box prompting to enter credentials and then after authenticated, I need to get an error restricting the access to that servlet, because I have no provided any <http-method>

Now, I do get the pop up box for entering credentials and but not always, so I think that might have to do with caching of these values by the browsers. But I'm more interested on why I still get into doGet() method, when all HTTP methods are restricted. I confirm this, because I see below statements in console

BASIC
true
false

Then I experimented by adding <http-method-omission>GET</http-method-omission>

and I still got into doGet() only that the output is
null
false
false

where is the mistake ? Please advise

 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
and my expectation is when I hit http://localhost:8080/MyApp/Restricted I expect to get a dialog box prompting to enter credentials and then after authenticated, I need to get an error restricting the access to that servlet, because I have no provided any <http-method>

Why would you expect an error if you've entered valid credentials? Not providing an <http-method> means that the constraint applies to all methods, not that access to all methods is restricted even if valid credentials are entered.

but not always, so I think that might have to do with caching of these values by the browsers.

Some browsers cache such credentials until they're closed. So after restarting the browser you'd need to enter them again.

Then I experimented by adding <http-method-omission>GET</http-method-omission> and I still got into doGet()

<http-method-omission> whitelists GET, meaning it does not need credentials.
 
Rajesh Karanam
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you Ulf, but

when you say "Not providing an <http-method> means that the constraint applies to all methods, not that access to all methods is restricted even if valid credentials are entered."

can you elaborate on this ? Does it mean the absence of <http-method> actually does not restrict access to the resource, but rather permits . So, how do I restrict access. Should I add <http-method>GET</http-method> to let only GET work and all other fail.

Also, what is whitelist you referred? By adding <http-method-omission>GET, no credentials are required and no authentication is required. So, this is as good as not adding security constraint in web.xml
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, you should explicitly use http-method for all methods you want to allow when authenticated.

Http-method-omission has the opposite effect of http-method: it allows methods instead of denying them. I'd suggest not to use it until you're clearer on the whole security setup.
 
Consider Paul's rocket mass heater.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!