[
https://issues.jboss.org/browse/AS7-3415?page=com.atlassian.jira.plugin.s...
]
Remy Maucherat commented on AS7-3415:
-------------------------------------
One of the things that I hate most are bogus bug reports, where something wrong is
presented in a "logical" and "reasonable" way, and could prompt making
"fixes" that are actual regressions - and a regression here is automatically a
security issue. Please read the chapter on @ServletSecurity, it explains how it is
processed.
You don't have to write spec tests like they are in the TCK (with plenty of
@ServletSecurity tests already for the quite complicated processing of @ServletSecurity),
but rather AS specific ones, like using jboss-web.xml to make configuration changes
maybe.
security-constraint/user-data-constraint/transport-guarantee in
web.xml file doesn't override setting from servlet @ServletSecurity transportGuarantee
parameter
----------------------------------------------------------------------------------------------------------------------------------------------------------------
Key: AS7-3415
URL:
https://issues.jboss.org/browse/AS7-3415
Project: Application Server 7
Issue Type: Bug
Components: Web
Affects Versions: 7.1.0.CR1b
Reporter: Peter Skopek
Assignee: Remy Maucherat
security-constraint/user-data-constraint/transport-guarantee in web.xml file doesn't
override setting from servlet @ServletSecurity transportGuarantee parameter
{noformat}
My settings:
@ServletSecurity(@HttpConstraint(rolesAllowed = { "gooduser" },
transportGuarantee = TransportGuarantee.CONFIDENTIAL) )
web.xml excerpt:
<security-constraint>
<web-resource-collection>
<web-resource-name>sec</web-resource-name>
<url-pattern>/tgmixed/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>gooduser</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
{noformat}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see:
http://www.atlassian.com/software/jira