[jboss-jira] [JBoss JIRA] (AS7-3415) security-constraint/user-data-constraint/transport-guarantee in web.xml file doesn't override setting from servlet @ServletSecurity transportGuarantee parameter
Remy Maucherat (JIRA)
jira-events at lists.jboss.org
Mon Jan 23 09:33:19 EST 2012
[ https://issues.jboss.org/browse/AS7-3415?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Remy Maucherat resolved AS7-3415.
---------------------------------
Resolution: Rejected
Ok, so it's invalid then. A servlet security does not apply to paths that have any static constraint, but your constaint from web.xml is not the exact match, so it's just there doing nothing.
You probably shouldn't be writing tests that duplicate tests in the TCK IMO.
> security-constraint/user-data-constraint/transport-guarantee in web.xml file doesn't override setting from servlet @ServletSecurity transportGuarantee parameter
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: AS7-3415
> URL: https://issues.jboss.org/browse/AS7-3415
> Project: Application Server 7
> Issue Type: Bug
> Components: Web
> Affects Versions: 7.1.0.CR1b
> Reporter: Peter Skopek
> Assignee: Remy Maucherat
>
> security-constraint/user-data-constraint/transport-guarantee in web.xml file doesn't override setting from servlet @ServletSecurity transportGuarantee parameter
> {noformat}
> My settings:
> @ServletSecurity(@HttpConstraint(rolesAllowed = { "gooduser" }, transportGuarantee = TransportGuarantee.CONFIDENTIAL) )
> web.xml excerpt:
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>sec</web-resource-name>
> <url-pattern>/tgmixed/*</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>gooduser</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>NONE</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> {noformat}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list