[jboss-jira] [JBoss JIRA] Commented: (JBAS-5069) org.jboss.test.security.test.WebConstraintsUnitTestCase (Excluded Access failures)

Remy Maucherat (JIRA) jira-events at lists.jboss.org
Tue Dec 11 11:12:52 EST 2007 

    [ http://jira.jboss.com/jira/browse/JBAS-5069?page=comments#action_12391589 ] 
            
Remy Maucherat commented on JBAS-5069:
--------------------------------------

I am using an empty WAR with the web.xml you provided for testing (if a request goes through the constraints, it will return a 500, which is good enough). Not surprisingly, I cannot reproduce the issue in JBoss Web 2.1 standalone, but it "works" in AS 5.0. One possibility for the problem is that parsing of the web.xml is not done properly.

> org.jboss.test.security.test.WebConstraintsUnitTestCase (Excluded Access failures)
> ----------------------------------------------------------------------------------
>
>                 Key: JBAS-5069
>                 URL: http://jira.jboss.com/jira/browse/JBAS-5069
>             Project: JBoss Application Server
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Web (Tomcat) service
>    Affects Versions: JBossAS-5.0.0.Beta2
>         Environment: org.jboss.test.security.test.WebConstraintsUnitTestCase
> Reproduce:
> a) Start JBoss5
> b) ant -Dtest=org.jboss.test.security.test.WebConstraintsUnitTestCase one-test
>            Reporter: Anil Saldhana
>         Assigned To: Remy Maucherat
>             Fix For:  JBossAS-5.0.0.Beta3
>
>
> With JBoss/Web, the excluded security constraints seem to be not working.
> The web.xml is:
> http://anonsvn.jboss.org/repos/jbossas/trunk/testsuite/src/resources/security/web-constraints/web.xml
> The errors are:
> http://hudson.jboss.org/hudson/view/JBoss%20AS/job/JBoss-AS-5.0.x-TestSuite-sun15-noip/lastBuild/testReport/org.jboss.test.security.test/WebConstraintsUnitTestCase(tests-security-basic-unit)/testGetAccess/
> http://hudson.jboss.org/hudson/view/JBoss%20AS/job/JBoss-AS-5.0.x-TestSuite-sun15-noip/lastBuild/testReport/org.jboss.test.security.test/WebConstraintsUnitTestCase(tests-security-basic-unit)/testExcludedAccess/
> Failing calls:
> 1) testGetAccess()  [GET IS EXCLUDED as per security constraint "excluded"]
> {
>      // Validate that the excluded subcontext if not accessible
>       url = new URL(baseURL+"web-constraints/restricted/get-only/excluded/x");
>       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN);
> 2) testExcludedAccess()  [Security Constraint "Excluded GET"]
>  public void testExcludedAccess() throws Exception
>    {
>       String baseURL = HttpUtils.getBaseURL("getUser", "getUserPass");
>       // Test the excluded security-constraint
>       URL url = new URL(baseURL+"web-constraints/excluded/x");
>       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN);
> ......
> Remy, please tell me if it is an issue with our security layer.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list