All,
I'm new to the list, so be gentle on me :)
I have some issues regarding JRun 4 and web security. We are building a
J2EE application complete with stateless session beans, servlets,
filters, etc, and we are integrating ColdFusion into the system to allow
for customer customization without having to code Java directly.
We are using FORM-based authentication and role-based security. Most
URL's in our system require the user to be within a particular role and
therefore must have logged in, but there are some URL's that are
designed to be open such that login is not required. I have tried with
and without the <auth-constraint> specified on the "open" collection, to
no avail.
I cannot get JRun4 to allow open URL's... it is requiring login for the
ones that I believe are specified to be open. For a point of reference,
this works fine in JBoss 3.0.3, but does not work as desired in JRun 4.
The relevant part of our web.xml file is listed below, along with a
cut-and-paste from the Servlet 2.3 specification which I believe
indicates that JRun is not behaving according spec.
Here is an example. A non-logged in client navigates to
/open/jobPostingSetup.do - the JRun container is directing to the login
page rather than navigating to the servlet appropriately. If I'm
reading the specification correctly, "/open/jobPostingSetup.do" should
match rule #1 stated below as its an exact match, but rather it appears
to be matching "*.do" which we have specified in a protected URL space.
Am I reading the specification correctly? Is JRun behaving properly? Is
there a way to protect *.do yet have some exceptions to that rule that
can be open to non-logged-in users? If so, how?
Thank you for your help,
Erik Hatcher
Senior Java Architect, Darden
Co-author, Java Development with Ant (Manning Publications)
web.xml snippet:
<security-constraint>
<web-resource-collection>
<web-resource-name>OpenSecurity</web-resource-name>
<description>Open Security</description>
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.css</url-pattern>
<url-pattern>*.gif</url-pattern>
<url-pattern>*.jpg</url-pattern>
<url-pattern>*.js</url-pattern>
<url-pattern>/open/forgotPassword.do</url-pattern>
<url-pattern>/open/sendPassword.do</url-pattern>
<url-pattern>/open/jobPostingSetup.do</url-pattern>
<url-pattern>/open/saveJobPosting.do</url-pattern>
<url-pattern>/open/showSnippet.do</url-pattern>
<url-pattern>/logout.do</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>AlumniSecurity</web-resource-name>
<description>Alumni Security</description>
<url-pattern>/</url-pattern>
<url-pattern>*.do</url-pattern>
<url-pattern>/index.jsp</url-pattern>
<url-pattern>/redirect.jsp</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>AlumniUser</role-name>
</auth-constraint>
</security-constraint>
Section 11.1 of the Servlet 2.3 specification:
1. The container will try to find an exact match of the path of the
request to the path of the servlet. A successful match selects the
servlet.
2. The container will recursively try to match the longest path-prefix:
This is done by stepping down the path tree a directory at a time, using
the '/' character as a path separator. The longest match determines the
servlet selected.
3. If the last segment in the URL path contains an extension (e.g.
.jsp), the serv- let container will try to match a servlet that handles
requests for the extension. An extension is defined as the part of the
path after the last '.' character.
4. If neither of the previous three rules result in a servlet match, the
container will attempt to serve content appropriate for the resource
requested. If a "default" servlet is defined for the application, it
will be used.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=8
Subscription:
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=8
Get the JRun Web Application Construction Kit - the only book written specifically for
JRun developers.
http://www.amazon.com/exec/obidos/ASIN/0789726009/houseoffusion
