[jboss-jira] [JBoss JIRA] (AS7-3415) security-constraint/user-data-constraint/transport-guarantee in web.xml file doesn't override setting from servlet @ServletSecurity transportGuarantee parameter
Peter Skopek (JIRA)
jira-events at lists.jboss.org
Tue Jan 24 06:11:18 EST 2012
[ https://issues.jboss.org/browse/AS7-3415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12661397#comment-12661397 ]
Peter Skopek commented on AS7-3415:
-----------------------------------
I have added one commit to the pull request above.
Security constraint url-pattern in web.xml contains /tg_mixed_override/* and servlet is mapped on /tg_mixed_override/srv/*
Test is failing because access on non confidential transport is possible and IMO it should not be.
The truth is that if one changes security constraint url-pattern to /tg_mixed_override/srv/* test passes.
I cannot see any part of spec. which say that in case of static constraint is used constraint from web.xml has to be exact match.
The same case works for test set up with non-annotated servlet and web.xml DD.
> security-constraint/user-data-constraint/transport-guarantee in web.xml file doesn't override setting from servlet @ServletSecurity transportGuarantee parameter
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: AS7-3415
> URL: https://issues.jboss.org/browse/AS7-3415
> Project: Application Server 7
> Issue Type: Bug
> Components: Web
> Affects Versions: 7.1.0.CR1b
> Reporter: Peter Skopek
> Assignee: Remy Maucherat
>
> security-constraint/user-data-constraint/transport-guarantee in web.xml file doesn't override setting from servlet @ServletSecurity transportGuarantee parameter
> {noformat}
> My settings:
> @ServletSecurity(@HttpConstraint(rolesAllowed = { "gooduser" }, transportGuarantee = TransportGuarantee.CONFIDENTIAL) )
> web.xml excerpt:
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>sec</web-resource-name>
> <url-pattern>/tgmixed/*</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>gooduser</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>NONE</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> {noformat}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list