[jboss-jira] [JBoss JIRA] (AS7-3415) security-constraint/user-data-constraint/transport-guarantee in web.xml file doesn't override setting from servlet @ServletSecurity transportGuarantee parameter

Peter Skopek (JIRA) jira-events at lists.jboss.org
Tue Jan 24 08:12:18 EST 2012 

    [ https://issues.jboss.org/browse/AS7-3415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12661420#comment-12661420 ] 

Peter Skopek commented on AS7-3415:
-----------------------------------

Well, let be little bit more specific why it has to be the exact match.

Chapter 13.8.3 Processing Requests of the Java Servlet Specification v.3.0 says:
When a Servlet container receives a request, it shall use the algorithm described in
“Use of URL Paths” on page 95 to select the constraints (if any) defined on the url-
pattern that is *the best match* to the request URI.

I still don't see any mention of exact match to url pattern, so I think the test is valid and the problem has to be fixed. 


                
> security-constraint/user-data-constraint/transport-guarantee in web.xml file doesn't override setting from servlet @ServletSecurity transportGuarantee parameter
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: AS7-3415
>                 URL: https://issues.jboss.org/browse/AS7-3415
>             Project: Application Server 7
>          Issue Type: Bug
>          Components: Web
>    Affects Versions: 7.1.0.CR1b
>            Reporter: Peter Skopek
>            Assignee: Remy Maucherat
>
> security-constraint/user-data-constraint/transport-guarantee in web.xml file doesn't override setting from servlet @ServletSecurity transportGuarantee parameter
> {noformat}
> My settings:
> @ServletSecurity(@HttpConstraint(rolesAllowed = { "gooduser" }, transportGuarantee = TransportGuarantee.CONFIDENTIAL) )
> web.xml excerpt:
>     <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>sec</web-resource-name>
>             <url-pattern>/tgmixed/*</url-pattern>
>             <http-method>GET</http-method>
>             <http-method>POST</http-method>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>gooduser</role-name>
>         </auth-constraint>
>         <user-data-constraint>
>             <transport-guarantee>NONE</transport-guarantee>
>         </user-data-constraint>
>     </security-constraint>
> {noformat}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list