[ http://issues.apache.org/jira/browse/GERONIMO-2339?page=all ]
Vamsavardhana Reddy updated GERONIMO-2339:
------------------------------------------
Fix Version/s: 2.0
> Empty auth-constraint tag in web app security-constraint does not prevent
> access to resource
> --------------------------------------------------------------------------------------------
>
> Key: GERONIMO-2339
> URL: http://issues.apache.org/jira/browse/GERONIMO-2339
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security, Tomcat
> Affects Versions: 1.1.1
> Environment: Geronimo Tomcat 1.1.1
> Reporter: Vamsavardhana Reddy
> Fix For: 1.2, 1.1.2, 2.0
>
> Attachments: g2339.war
>
>
> I have the following security constraint in web.xml
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>No Access</web-resource-name>
> <url-pattern>/forbidden/*</url-pattern>
> </web-resource-collection>
> <auth-constraint/>
> </security-constraint>
> This means /forbidden/* is not accessible by any user. The permission woks
> fine if the application is deployed in Geronimo Jetty distribution.
> If the application is deployed in Geronimo Tomcat distribution, URLs
> /forbidden/* are accessible by all users.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
