Is TC role mapping spec conform?

Wed, 18 Dec 2002 23:41:52 -0800 

Hi,

I'm a little bit confused about the use of the security-role tag - generally
and especially in Tomcat. The WebApp DTD refers for auth-constraint to this
element commented as follows:

"... The role-name used here must either correspond to the role-name of one
of the security-role elements defined for this web application, or be the
specially reserved role-name "*" that is a compact syntax for indicating all
roles in the web application. ... If no roles are defined, no user is allowed
access to the portion of the web application described by the containing 
security-constraint..."

My observations with TC 4.1.16:
The role-name in auth-constraint isn't verified against an corresponding 
security-role definition. (test: replace * by role tomcat, do not define a
corresponding security-role) According to spec this is a MUST.

IMO this means that "*" is limited for indicating all roles in THE WEB
APPLICATION and should not not do this for roles in other web applications 
even if they share the same realm.

I understand the last sentence of the spec abstract above as a MUST. And 
"no roles are defined" relates in my eyes to "the web application". 

Tested with:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
     PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
     "http://java.sun.com/dtd/web-app_2_3.dtd";;>
 <web-app>
   <servlet>
     <servlet-name>RoleRef</servlet-name>
     <jsp-file>/test.jsp</jsp-file>
   </servlet>
   <servlet-mapping>
     <servlet-name>
       RoleRef
     </servlet-name>
     <url-pattern>
       /test
     </url-pattern>
   </servlet-mapping>
   <security-constraint>
     <web-resource-collection>
       <web-resource-name>WebCollection</web-resource-name>
       <url-pattern>/test</url-pattern>
     </web-resource-collection>
     <auth-constraint>
       <role-name>*</role-name>
     </auth-constraint>
   </security-constraint>
   <login-config>
     <auth-method>BASIC</auth-method>
     <realm-name>default</realm-name>
   </login-config>
   <!-- uncommenting security-role causes nothing -->
   <security-role>
     <role-name>specialrole</role-name>
   </security-role>
 </web-app>
 
Only specialRole should have the permission to access the resource test.jsp,
if uncommented no user should have this permission - but in Tomcat any role
(e.g. tomcat, from global context) has in both cases the permission ...
 
IMO this couldn't be the specified behaviour?
Comments are welcome.

Regards,

Thomas

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Reply via email to