Re: [J2] web.xml security constraints not respected

Thu, 08 Sep 2005 10:14:32 -0700 

Aaron Evans wrote:
I have added struts and JSF applications to my jetspeed2 portal. What I have found is that once a user authenticates through the portal, then the request.getPrincipal() and request.isUserInRole() methods work 
as expected within my applications.

However, any security constraints specified in the application's web.xml file
are *not* respected when the application is accessed through the portal, but
they are when you access the application directly.

For example, I define the following security constraint and role in my web.xml:

  <security-constraint>
        <display-name>Admin Pages</display-name>
        <web-resource-collection>
                <web-resource-name>Admin Pages</web-resource-name>
                <url-pattern>/admin/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
                <role-name>admin</role-name>
        </auth-constraint>
  </security-constraint>

  <security-role>
        <role-name>admin</role-name>
</security-role> 
If I have a resource /admin/admin.jsp, I can access through the portal without
authenticating or if I authenticate as a user that is not in the admin role.
If I access it outside the portal without authenticating, I am denied access.

Is this a known limitation or a bug?


My interpretation is Its a bug.
We need to run the security check before dispatching to the servlet.
Log a JIRA issue

From spec:

PLT.20.2 Roles
The portlet specification shares the same definition as roles of the Servlet Specification
On my admin.jsp page, I have output request.getRequestURI and request.getRequestURL and I get the following values: 

URI: /jsfapp/admin/admin.jsp
URL: null

Is this also expected behaviour (ie. that the requestURL is null)?  If so, then
perhaps my security constraints are not being respected because tomcat is using
the URL and not the URI?



I think the NULL is correct, from the spec:

PLT.16.3.3 Request and Response objects for Included
15 Servlets/JSPs
The target servlet or JSP of portlet request dispatcher has access to a limited set of 
methods of the request and the response objects.
The following methods of the HttpServletRequest must return null: getProtocol, 
getRemoteAddr, getRemoteHost, getRealPath, and getRequestURL.


--
David Sean Taylor
Bluesunrise Software
[EMAIL PROTECTED]
[office] +01 707 773-4646
[mobile] +01 707 529 9194

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to