Hello, I'm trying some web.xml security features and think that Catalina does'nt
perform url pattern very well in some cases (whatever the kind of Realm).
For example :
Roles : Administrateur and DTN
protected ressources :
"/pages/secret1/*.jsp" reserved for Administrateur role
"/pages/*.jsp" reserved for Administrateur and DTN roles
When the current user has only DTN role, the first pattern is not filtered and so the
ressource is not protected while if the first pattern is a straightforward ressource
(say /pages/secret1/myfile.jsp) is correctly safe.
any idea ?
thanks in advance,
Arnaud
web.xml sample :
<security-constraint>
<web-resource-collection>
<web-resource-name>webapp2</web-resource-name>
<url-pattern>/pages/secret1/*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Administrateur</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>webapp1</web-resource-name>
<url-pattern>/pages/*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>DTN</role-name>
<role-name>Administrateur</role-name>
</auth-constraint>
</security-constraint>
