https://bz.apache.org/bugzilla/show_bug.cgi?id=69925
Bug ID: 69925
Summary: Security Constraint in conf/web.xml Overrides
Application Security Constraint
Product: Tomcat 9
Version: 9.0.113
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: -----
A <security-constraint> specified in conf/web.xml will override any security
constraint with the same url-pattern in an application.
For instance, adding the following to conf/web.xml
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Will override the following constraint in any applications WEB-INF/web.xml
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>MANAGER</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Where the resources under /* will not be protected since the conf/web.xml does
not specify an auth-constraint.
The only way to handle this is to move the security-constraint from
conf/web.xml to all applications.
Perhaps this is "normal".
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
