[jboss-jira] [JBoss JIRA] (WFLY-6990) web.xml unprotected url pattern "/" overrides role protected "/*" pattern
Guillermo González de Agüero (JIRA)
issues at jboss.org
Tue Aug 23 13:42:00 EDT 2016
Guillermo González de Agüero created WFLY-6990:
--------------------------------------------------
Summary: web.xml unprotected url pattern "/" overrides role protected "/*" pattern
Key: WFLY-6990
URL: https://issues.jboss.org/browse/WFLY-6990
Project: WildFly
Issue Type: Bug
Components: Web (Undertow)
Affects Versions: 10.1.0.Final
Reporter: Guillermo González de Agüero
Assignee: Stuart Douglas
Attachments: security-example-1.0-SNAPSHOT.war
Given the following web.xml
{code:java}
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Unprotected</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
</security-constraint>
<security-role>
<role-name>admin</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Protected area</realm-name>
</login-config>
</web-app>
{code}
A login prompt is expected when accessing /any-page.jsp since "/*" requires the "admin" role. Instead, every page seems to be unprotected, due to the unchecked "/" pattern specified below. Payara/GlassFish and Tomcat show the expected behaviour.
If no role is allowed (<auth-constraint /> for the /*), every page is forbidden as expected.
I've attached a WAR that reproduces the problem.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list