(tomcat) branch 9.0.x updated: Don't ignore methods on security constraints mapped to "/"

Wed, 17 Jun 2026 11:52:10 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt-asf pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
     new a0374c4509 Don't ignore methods on security constraints mapped to "/"
a0374c4509 is described below

commit a0374c450970760efafbd8806a1db278830ba7bd
Author: Mark Thomas <[email protected]>
AuthorDate: Wed Jun 17 19:51:18 2026 +0100

    Don't ignore methods on security constraints mapped to "/"
---
 java/org/apache/catalina/realm/RealmBase.java     |  2 +-
 test/org/apache/catalina/realm/TestRealmBase.java | 67 +++++++++++++++++++++++
 webapps/docs/changelog.xml                        |  4 ++
 3 files changed, 72 insertions(+), 1 deletion(-)

diff --git a/java/org/apache/catalina/realm/RealmBase.java 
b/java/org/apache/catalina/realm/RealmBase.java
index b3a7bc1f2d..6314cba7e3 100644
--- a/java/org/apache/catalina/realm/RealmBase.java
+++ b/java/org/apache/catalina/realm/RealmBase.java
@@ -761,7 +761,7 @@ public abstract class RealmBase extends LifecycleMBeanBase 
implements Realm {
 
                 boolean matched = false;
                 for (String pattern : patterns) {
-                    if (pattern.equals("/")) {
+                    if (pattern.equals("/") && 
securityCollection.findMethod(method)) {
                         matched = true;
                         break;
                     }
diff --git a/test/org/apache/catalina/realm/TestRealmBase.java 
b/test/org/apache/catalina/realm/TestRealmBase.java
index 97838f0021..fe9757d8c5 100644
--- a/test/org/apache/catalina/realm/TestRealmBase.java
+++ b/test/org/apache/catalina/realm/TestRealmBase.java
@@ -872,4 +872,71 @@ public class TestRealmBase {
         Assert.assertFalse(mapRealm.hasResourcePermission(
                 request, response, constraintsPost, null));
     }
+
+
+    @Test
+    public void testDefaultServletConstraints() throws IOException {
+        // Create a constraint that allows GET
+        SecurityConstraint allowConstraint = new SecurityConstraint();
+        SecurityCollection allowCollection = new SecurityCollection();
+        allowCollection.addMethod(Method.GET);
+        allowCollection.addPatternDecoded("/");
+        allowConstraint.addCollection(allowCollection);
+        // Create a constraint that disallows everything but GET
+        SecurityConstraint blockConstraint = new SecurityConstraint();
+        SecurityCollection blockCollection = new SecurityCollection();
+        blockCollection.addOmittedMethod(Method.GET);
+        blockCollection.addPatternDecoded("/");
+        blockConstraint.addCollection(blockCollection);
+        blockConstraint.addAuthRole(ROLE1);
+
+        TesterMapRealm mapRealm = new TesterMapRealm();
+
+        // Set up the mock request and response
+        TesterRequest request = new TesterRequest();
+        Response response = new TesterResponse();
+        Context context = request.getContext();
+        request.getMappingData().context = context;
+
+        // Create the principals
+        List<String> userRoles1 = new ArrayList<>();
+        userRoles1.add(ROLE1);
+        GenericPrincipal gp1 = new GenericPrincipal(USER1, userRoles1);
+
+        List<String> userRoles2 = new ArrayList<>();
+        userRoles2.add(ROLE2);
+        GenericPrincipal gp2 = new GenericPrincipal(USER2, userRoles2);
+
+        // Add the constraints to the context
+        context.addConstraint(allowConstraint);
+        context.addConstraint(blockConstraint);
+
+        // GET should be allowed
+        request.setMethod(Method.GET);
+        SecurityConstraint[] constraints = 
mapRealm.findSecurityConstraints(request, context);
+
+        request.setUserPrincipal(null);
+        Assert.assertTrue(mapRealm.hasResourcePermission(
+                request, response, constraints, null));
+        request.setUserPrincipal(gp1);
+        Assert.assertTrue(mapRealm.hasResourcePermission(
+                request, response, constraints, null));
+        request.setUserPrincipal(gp2);
+        Assert.assertTrue(mapRealm.hasResourcePermission(
+                request, response, constraints, null));
+
+        // POST should require ROLE1 should be allowed
+        request.setMethod(Method.POST);
+        constraints = mapRealm.findSecurityConstraints(request, context);
+
+        request.setUserPrincipal(null);
+        Assert.assertFalse(mapRealm.hasResourcePermission(
+                request, response, constraints, null));
+        request.setUserPrincipal(gp1);
+        Assert.assertTrue(mapRealm.hasResourcePermission(
+                request, response, constraints, null));
+        request.setUserPrincipal(gp2);
+        Assert.assertFalse(mapRealm.hasResourcePermission(
+                request, response, constraints, null));
+    }
 }
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 62abf9c030..6bf4ab09cb 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -295,6 +295,10 @@
         Ensure atomic session persistence in <code>FileStore</code>. Based on
         pull request <pr>1016</pr> by sahvx655-wq. (markt)
       </fix>
+      <fix>
+        Do not ignore methods configured on security constraints that map to 
the
+        default servlet. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to