Hello, I'm trying some web.xml security features and think that Catalina
does'nt perform url pattern very well in some cases (whatever the kind of Realm).
For example :
Roles : Administrateur and DTN
protected ressources :
"/pages/secret1/*.jsp" reserved for Administrateur role
"/pages/*.jsp" reserved for Administrateur and DTN roles
When the current user has only DTN role, the first pattern is not filtered and
so the ressource is not protected while if the first pattern is a straightforward
ressource (say /pages/secret1/myfile.jsp) is correctly safe.
any idea ?
thanks in advance,
Arnaud
web.xml sample :
<security-constraint>
<web-resource-collection>
<web-resource-name>webapp2</web-resource-name>
<url-pattern>/pages/secret1/*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Administrateur</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>webapp1</web-resource-name>
<url-pattern>/pages/*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>DTN</role-name>
<role-name>Administrateur</role-name>
</auth-constraint>
</security-constraint>
