Empty auth-constraint tag in web app security-constraint does not prevent
access to resource
--------------------------------------------------------------------------------------------
Key: GERONIMO-2339
URL: http://issues.apache.org/jira/browse/GERONIMO-2339
Project: Geronimo
Issue Type: Bug
Security Level: public (Regular issues)
Components: security, Tomcat
Affects Versions: 1.1.1
Environment: Geronimo Tomcat 1.1.1
Reporter: Vamsavardhana Reddy
Fix For: 1.1.2, 1.2
I have the following security constraint in web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>No Access</web-resource-name>
<url-pattern>/forbidden/*</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
This means /forbidden/* is not accessible by any user. The permission woks
fine if the application is deployed in Geronimo Jetty distribution.
If the application is deployed in Geronimo Tomcat distribution, URLs
/forbidden/* are accessible by all users.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
