DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=27820>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=27820 SecurityConstraint.findAuthRoles() Summary: SecurityConstraint.findAuthRoles() Product: Tomcat 5 Version: 5.0.19 Platform: All OS/Version: All Status: NEW Severity: Normal Priority: Other Component: Unknown AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] The description for SecurityConstraint.findAuthRoles() states that "Return the set of roles that are permitted access to the resources protected by this security constraint. If none have been defined, a zero-length array is returned (which implies that all authenticated users are permitted access)." Reading the servlet 2.4 spec, it states that "An authorization constraint that names no roles indicates that access to the constrained requests must not be permitted under any circumstances." This seems opposite of the findAuthRoles() description. I haven't checked how that method is actually being used, so I don't know if it's a security risk, but the description is obviously wrong. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
