"Craig R. McClanahan" wrote:
>
> Note:  any suggestions for spec clarifications should be sent to the email address
> on the front of the spec ([EMAIL PROTECTED]) to ensure that they get
> formally addressed.

Yep - I've posted some questions there, but as spec changes will be a long time
coming, I'm interested to find out how other interpret the current spec.


> > 0) As methods such as PUT, MOVE and DELETE are controlled by security
> >    constraints, then this may be an issue for more applications than
> >    you'd think.
> That depends totally on whether or not the servlet executing this request supports
> PUT.  Unless it does (i.e. you have a doPut() method, or you override service() and
> check the request method yourself), a PUT is not going to modify your web site --
> security constraints or not.  Same for the other methods.

PUT can create new static content, so there may not be a servlet there
at all.  Even if the container implements static content with a servlet,
then that servlet should implement PUT and take it's configuration
from the deployment descriptor.


> > 2) "/*" is not well defined in the spec, as it's obvious meaning
> >    is overloaded by the definition of "/" as the default mapping,
> >    so really "/*" == "/".
> This is not correct at all.  The "/*" mapping means "use this mapping for every
> request processed by this webapp."  The "/" mapping means "use this mapping *only*
> if no other mapping matches".

Sorry I did not make myself clear here - I meant "/" as a path not
as a pattern.  As mappings "/" and "/*" are different (in that /* takes
precidece over *.jsp,  while / does not).

What I am trying to say here, is that if you constrain access
to "/*" then there is no way for you to create a more
specific constraint for the a URL of "/".

I think an example would help.  I want to protect all the content of
my webapp except /public/* and /index.html.

So I create a security constraint at "/*" to constrain access.
I then create a relaxed constraint at "/index.html" and "/public/*"
to allow access.

But if somebody makes a request to

 http://host/context/

You would expect it to be forwarded to http://host/context/index.html
But it is caught by the /* security constraint and denied (or constrained)

Thus any paranoid webapp is denied the ability to have a
public default index.

Is that clearer?



However I was wrong in my previous post when I said:

> I can't put a servlet at / and wear the cost of the double
> dispatch of every request, because the content might be
> a dynamic JSP and *.jsp takes precident over /

Because as you say, I can put a servlet at  /* which takes
precedence over *.jsp

Thus the only portable way that I can think of to protect
a directory of arbitrary content is to front it with a
servlet and roll-your-own security.

It would be preferable to use the security constraint
mechanism - so that it can controled via the deployment
descriptor.


Which brings me back to my original questions regarding
clarification of the meaning of multiple and empty
security constaints?



--
Greg Wilkins<[EMAIL PROTECTED]>          GB  Phone: +44-(0)2074394045
Mort Bay Consulting Australia and UK.    Mbl Phone: +44-(0)7775534369
http://www.mortbay.com                   AU  Phone: +61-(0)2 99772395

___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".

Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html

Reply via email to