Ilya, A correction to my previous post. It is probable that Glassfish/Tomcat is using a container-specific mechanism to handle the welcome-file. As per the spec, Section 10.10:
"The container may send the request to the welcome resource with a forward, a redirect, or a container specific mechanism that is indistinguishable from a direct request." In the case of a container-specific mechanism that is indistinguishable from a direct request, this implies that the security constraints would be re-evaluated. Jetty does not have a container-specific mechanism and uses only the servlet specification mechanisms of forward or redirect. Jan On Tue, 19 Mar 2019 at 10:48, Jan Bartel <[email protected]> wrote: > Ilya, > > The differences you are seeing with the handling of a security constraint > for the url-pattern "/index.jsp" is most probably due to the different way > Glassfish/Tomcat handles welcome files as compared to Jetty. When Jetty > receives a request for "/context-root/" and we look to see if there is a > security constraint that exactly matches as per the specification Section > 13.8.3 (using the algorithm specified in 12.1). Because your constraint is > /index.jsp, this does not match. Jetty then dispatches the request to the > welcome file mechanism via a forward - as this is a dispatch, the security > constraints cannot be re-evaluated. Most probably Glassfish/Tomcat are > using a redirect instead of a forward, which will cause a 2nd request that > will be evaluated against the security constraints. If you wish, you can > configure Jetty to do this too: set the init-param "redirectWelcome" to > "true" for the DefaultServlet. > > As for the empty string, this is mandated by the Servlet Specification > section 12.2: > "The empty string ("") is a special URL pattern that exactly maps to the > application's context root, i.e., requests of the form http://host:port > /<context-root>/. > In this case the path info is ’ / ’ and the servlet path and context > path is empty string (““)." > > regards, > Jan > > > > On Fri, 15 Mar 2019 at 00:37, Basin Ilya <[email protected]> wrote: > >> In Glassfish and Tomcat the following constraint protects access for both >> "/index.jsp" and "/" URIs, but in Jetty the latter is unprotected: >> >> <security-constraint> >> <display-name>Restricted</display-name> >> <web-resource-collection> >> <web-resource-name>index</web-resource-name> >> <description/> >> <url-pattern>/index.jsp</url-pattern> >> </web-resource-collection> >> <auth-constraint> >> <role-name>remembermeclient</role-name> >> </auth-constraint> >> </security-constraint> >> >> On the other hand, Jetty seems to support the empty string url-pattern >> inside security-constraint, but Tomcat and Glassfish don't. >> >> Who's right? >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> To change your delivery options, retrieve your password, or unsubscribe >> from this list, visit >> https://www.eclipse.org/mailman/listinfo/jetty-users > > > > -- > Jan Bartel <[email protected]> > www.webtide.com > *Expert assistance from the creators of Jetty and CometD* > > -- Jan Bartel <[email protected]> www.webtide.com *Expert assistance from the creators of Jetty and CometD*
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
