(tomcat) branch main updated: Don't ignore methods on security constraints mapped to "/"

Wed, 17 Jun 2026 11:51:48 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt-asf pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
     new f688a206ab Don't ignore methods on security constraints mapped to "/"
f688a206ab is described below

commit f688a206ab284748ad7a47f2e46a2a08951d6483
Author: Mark Thomas <[email protected]>
AuthorDate: Wed Jun 17 19:51:18 2026 +0100

    Don't ignore methods on security constraints mapped to "/"
---
 java/org/apache/catalina/realm/RealmBase.java     |  2 +-
 test/org/apache/catalina/realm/TestRealmBase.java | 67 +++++++++++++++++++++++
 webapps/docs/changelog.xml                        |  4 ++
 3 files changed, 72 insertions(+), 1 deletion(-)

diff --git a/java/org/apache/catalina/realm/RealmBase.java 
b/java/org/apache/catalina/realm/RealmBase.java
index df0de93e7b..4112b2b037 100644
--- a/java/org/apache/catalina/realm/RealmBase.java
+++ b/java/org/apache/catalina/realm/RealmBase.java
@@ -753,7 +753,7 @@ public abstract class RealmBase extends LifecycleMBeanBase 
implements Realm {
 
                 boolean matched = false;
                 for (String pattern : patterns) {
-                    if (pattern.equals("/")) {
+                    if (pattern.equals("/") && 
securityCollection.findMethod(method)) {
                         matched = true;
                         break;
                     }
diff --git a/test/org/apache/catalina/realm/TestRealmBase.java 
b/test/org/apache/catalina/realm/TestRealmBase.java
index 790c38116d..8c564e44b7 100644
--- a/test/org/apache/catalina/realm/TestRealmBase.java
+++ b/test/org/apache/catalina/realm/TestRealmBase.java
@@ -872,4 +872,71 @@ public class TestRealmBase {
         Assert.assertFalse(mapRealm.hasResourcePermission(
                 request, response, constraintsPost, null));
     }
+
+
+    @Test
+    public void testDefaultServletConstraints() throws IOException {
+        // Create a constraint that allows GET
+        SecurityConstraint allowConstraint = new SecurityConstraint();
+        SecurityCollection allowCollection = new SecurityCollection();
+        allowCollection.addMethod(Method.GET);
+        allowCollection.addPatternDecoded("/");
+        allowConstraint.addCollection(allowCollection);
+        // Create a constraint that disallows everything but GET
+        SecurityConstraint blockConstraint = new SecurityConstraint();
+        SecurityCollection blockCollection = new SecurityCollection();
+        blockCollection.addOmittedMethod(Method.GET);
+        blockCollection.addPatternDecoded("/");
+        blockConstraint.addCollection(blockCollection);
+        blockConstraint.addAuthRole(ROLE1);
+
+        TesterMapRealm mapRealm = new TesterMapRealm();
+
+        // Set up the mock request and response
+        TesterRequest request = new TesterRequest();
+        Response response = new TesterResponse();
+        Context context = request.getContext();
+        request.getMappingData().context = context;
+
+        // Create the principals
+        List<String> userRoles1 = new ArrayList<>();
+        userRoles1.add(ROLE1);
+        GenericPrincipal gp1 = new GenericPrincipal(USER1, userRoles1);
+
+        List<String> userRoles2 = new ArrayList<>();
+        userRoles2.add(ROLE2);
+        GenericPrincipal gp2 = new GenericPrincipal(USER2, userRoles2);
+
+        // Add the constraints to the context
+        context.addConstraint(allowConstraint);
+        context.addConstraint(blockConstraint);
+
+        // GET should be allowed
+        request.setMethod(Method.GET);
+        SecurityConstraint[] constraints = 
mapRealm.findSecurityConstraints(request, context);
+
+        request.setUserPrincipal(null);
+        Assert.assertTrue(mapRealm.hasResourcePermission(
+                request, response, constraints, null));
+        request.setUserPrincipal(gp1);
+        Assert.assertTrue(mapRealm.hasResourcePermission(
+                request, response, constraints, null));
+        request.setUserPrincipal(gp2);
+        Assert.assertTrue(mapRealm.hasResourcePermission(
+                request, response, constraints, null));
+
+        // POST should require ROLE1 should be allowed
+        request.setMethod(Method.POST);
+        constraints = mapRealm.findSecurityConstraints(request, context);
+
+        request.setUserPrincipal(null);
+        Assert.assertFalse(mapRealm.hasResourcePermission(
+                request, response, constraints, null));
+        request.setUserPrincipal(gp1);
+        Assert.assertTrue(mapRealm.hasResourcePermission(
+                request, response, constraints, null));
+        request.setUserPrincipal(gp2);
+        Assert.assertFalse(mapRealm.hasResourcePermission(
+                request, response, constraints, null));
+    }
 }
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index e9dd0bdf10..8c8df9674b 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -407,6 +407,10 @@
         Ensure atomic session persistence in <code>FileStore</code>. Based on
         pull request <pr>1016</pr> by sahvx655-wq. (markt)
       </fix>
+      <fix>
+        Do not ignore methods configured on security constraints that map to 
the
+        default servlet. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to