See intermixed. On Thu, 19 Dec 2002, Thomas Paradies wrote:
> Date: Thu, 19 Dec 2002 08:40:52 +0100 > From: Thomas Paradies <[EMAIL PROTECTED]> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Is TC role mapping spec conform? > > Hi, > > I'm a little bit confused about the use of the security-role tag - generally > and especially in Tomcat. The WebApp DTD refers for auth-constraint to this > element commented as follows: > > "... The role-name used here must either correspond to the role-name of one > of the security-role elements defined for this web application, or be the > specially reserved role-name "*" that is a compact syntax for indicating all > roles in the web application. ... If no roles are defined, no user is allowed > access to the portion of the web application described by the containing > security-constraint..." > > My observations with TC 4.1.16: > The role-name in auth-constraint isn't verified against an corresponding > security-role definition. (test: replace * by role tomcat, do not define a > corresponding security-role) According to spec this is a MUST. You're correct ... it's a bug in Tomcat that this restriction is not enforced. In 4.1 you get a warning in your log files, but enforcing it now would cause lots of existing apps to break. > > IMO this means that "*" is limited for indicating all roles in THE WEB > APPLICATION and should not not do this for roles in other web applications > even if they share the same realm. Sharing a Realm is a Tomcat feature not covered in the spec, so there is no rule defining what correct the behavior is. Tomcat interprets "*" as meaning "any authenticated user", which is not quite the same thing as the spec language either. I suggest submitting a bug report to report this: http://nagoya.apache.org/bugzilla/ Craig > > I understand the last sentence of the spec abstract above as a MUST. And > "no roles are defined" relates in my eyes to "the web application". > > Tested with: > > <?xml version="1.0" encoding="ISO-8859-1"?> > <!DOCTYPE web-app > PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" > "http://java.sun.com/dtd/web-app_2_3.dtd";;> > <web-app> > <servlet> > <servlet-name>RoleRef</servlet-name> > <jsp-file>/test.jsp</jsp-file> > </servlet> > <servlet-mapping> > <servlet-name> > RoleRef > </servlet-name> > <url-pattern> > /test > </url-pattern> > </servlet-mapping> > <security-constraint> > <web-resource-collection> > <web-resource-name>WebCollection</web-resource-name> > <url-pattern>/test</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>*</role-name> > </auth-constraint> > </security-constraint> > <login-config> > <auth-method>BASIC</auth-method> > <realm-name>default</realm-name> > </login-config> > <!-- uncommenting security-role causes nothing --> > <security-role> > <role-name>specialrole</role-name> > </security-role> > </web-app> > > Only specialRole should have the permission to access the resource test.jsp, > if uncommented no user should have this permission - but in Tomcat any role > (e.g. tomcat, from global context) has in both cases the permission ... > > IMO this couldn't be the specified behaviour? > Comments are welcome. > > Regards, > > Thomas > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
