I am working on integration Jetspeed 2 with Geronimo(Tomcat container). I have the following configuration in my j2 main web.xml.
<web-resource-name>Login
</web-resource-name>
<url-pattern>/login/redirector
</url-pattern>
</web-resource-collection>
<role-name>*</
role-name>
</auth-constraint>
</security-constraint >
</security-constraint >
But there is no role define in this web.xml.
Should it have a WebResourcePermission("/login/redirector", "GET,POST,PUT,DELETE,HEAD,OPTIONS,TRACE") to be added to unchecked policy statements?
I think this special case is equals to "A WebResourcePermission must be added to the unchecked policy statements for each distinct url-pattern occurring in the security-constraint elements that do not contain an auth-constraint."
I did read jacc spec SRV. 3.1.3.1 and servlet 2.4 spec SRV.12.8 and found nothing about this case(correct me if I am wrong). When I run this configuration on Tomcat 5.5.12, everything is ok, Tomcat treat * as allRole even there is no role defined in web.xml and hasResourcePermission() always return true. But when I run this with Geronimo SVN head, it always return false.
Any help would be appreciated!
- Jian Liao
