[ http://issues.apache.org/jira/browse/GERONIMO-2295?page=all ]
Aaron Mulder updated GERONIMO-2295:
-----------------------------------
Attachment: SecurityTest.war
Deploy the attached web application and view it at
http://localhost:8080/roletest/
Then click the links on that page and note that the link to
http://localhost:8080/roletest/secure/adminonly does not cause a login
> Web app security constraint ignored if url-pattern doesn't match servlet
> mapping exactly
> ----------------------------------------------------------------------------------------
>
> Key: GERONIMO-2295
> URL: http://issues.apache.org/jira/browse/GERONIMO-2295
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security, web
> Affects Versions: 1.1
> Reporter: Aaron Mulder
> Priority: Blocker
> Fix For: 1.1.1
>
> Attachments: SecurityTest.war
>
>
> If you have the following in your web.xml:
> {noformat}
> <servlet-mapping>
> <servlet-name>SecureServlet</servlet-name>
> <url-pattern>/secure/*</url-pattern>
> </servlet-mapping>
> <login-config>
> ...
> </login-config>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Security Test</web-resource-name>
> <url-pattern>/secure/adminonly</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> <http-method>PUT</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>administrator</role-name>
> </auth-constraint>
> </security-constraint>
> {noformat}
> Then the page /secure/adminonly is in fact completely unprotected -- a user
> who's not logged in can see it!
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
