[jboss-jira] [JBoss JIRA] Created: (JBAS-5069) org.jboss.test.security.test.WebConstraintsUnitTestCase (Excluded Access failures)

Anil Saldhana (JIRA) jira-events at lists.jboss.org
Mon Dec 10 01:07:53 EST 2007 

org.jboss.test.security.test.WebConstraintsUnitTestCase (Excluded Access failures)
----------------------------------------------------------------------------------

                 Key: JBAS-5069
                 URL: http://jira.jboss.com/jira/browse/JBAS-5069
             Project: JBoss Application Server
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: Web (Tomcat) service
    Affects Versions: JBossAS-5.0.0.Beta2
         Environment: org.jboss.test.security.test.WebConstraintsUnitTestCase

Reproduce:
a) Start JBoss5
b) ant -Dtest=org.jboss.test.security.test.WebConstraintsUnitTestCase one-test
            Reporter: Anil Saldhana
         Assigned To: Remy Maucherat
             Fix For:  JBossAS-5.0.0.Beta3


With JBoss/Web, the excluded security constraints seem to be not working.

The web.xml is:
http://anonsvn.jboss.org/repos/jbossas/trunk/testsuite/src/resources/security/web-constraints/web.xml

The errors are:
http://hudson.jboss.org/hudson/view/JBoss%20AS/job/JBoss-AS-5.0.x-TestSuite-sun15-noip/lastBuild/testReport/org.jboss.test.security.test/WebConstraintsUnitTestCase(tests-security-basic-unit)/testGetAccess/
http://hudson.jboss.org/hudson/view/JBoss%20AS/job/JBoss-AS-5.0.x-TestSuite-sun15-noip/lastBuild/testReport/org.jboss.test.security.test/WebConstraintsUnitTestCase(tests-security-basic-unit)/testExcludedAccess/


Failing calls:
1) testGetAccess()  [GET IS EXCLUDED as per security constraint "excluded"]
{
     // Validate that the excluded subcontext if not accessible
      url = new URL(baseURL+"web-constraints/restricted/get-only/excluded/x");
      HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN);

2) testExcludedAccess()  [Security Constraint "Excluded GET"]
 public void testExcludedAccess() throws Exception
   {
      String baseURL = HttpUtils.getBaseURL("getUser", "getUserPass");
      // Test the excluded security-constraint
      URL url = new URL(baseURL+"web-constraints/excluded/x");
      HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN);
......


Remy, please tell me if it is an issue with our security layer.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list