[ http://issues.apache.org/jira/browse/GERONIMO-2295?page=comments#action_12426386 ] Aaron Mulder commented on GERONIMO-2295: ----------------------------------------
Confirmed that changing the servlet-mapping:url-pattern to match the web-resource-collection:url-pattern causes security to be applied. > Web app security constraint ignored if url-pattern doesn't match servlet > mapping exactly > ---------------------------------------------------------------------------------------- > > Key: GERONIMO-2295 > URL: http://issues.apache.org/jira/browse/GERONIMO-2295 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: security, web > Affects Versions: 1.1 > Reporter: Aaron Mulder > Priority: Blocker > Fix For: 1.1.1 > > Attachments: SecurityTest.war > > > If you have the following in your web.xml: > {noformat} > <servlet-mapping> > <servlet-name>SecureServlet</servlet-name> > <url-pattern>/secure/*</url-pattern> > </servlet-mapping> > <login-config> > ... > </login-config> > <security-constraint> > <web-resource-collection> > <web-resource-name>Security Test</web-resource-name> > <url-pattern>/secure/adminonly</url-pattern> > <http-method>GET</http-method> > <http-method>POST</http-method> > <http-method>PUT</http-method> > </web-resource-collection> > <auth-constraint> > <role-name>administrator</role-name> > </auth-constraint> > </security-constraint> > {noformat} > Then the page /secure/adminonly is in fact completely unprotected -- a user > who's not logged in can see it! -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
