Web app security constraint ignored if url-pattern doesn't match servlet
mapping exactly
----------------------------------------------------------------------------------------
Key: GERONIMO-2295
URL: http://issues.apache.org/jira/browse/GERONIMO-2295
Project: Geronimo
Issue Type: Bug
Security Level: public (Regular issues)
Components: security, web
Affects Versions: 1.1
Reporter: Aaron Mulder
Priority: Blocker
Fix For: 1.1.1
If you have the following in your web.xml:
{noformat}
<servlet-mapping>
<servlet-name>SecureServlet</servlet-name>
<url-pattern>/secure/*</url-pattern>
</servlet-mapping>
<login-config>
...
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Security Test</web-resource-name>
<url-pattern>/secure/adminonly</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint>
{noformat}
Then the page /secure/adminonly is in fact completely unprotected -- a user
who's not logged in can see it!
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
