[jbossws-dev] TomcatDeployment2 denied GET access although only POST is secured

Scott M Stark sstark at redhat.com
Sat Mar 3 10:52:31 EST 2007 

For the org.jboss.web.tomcat.tc6.deployers.TomcatDeployment I verified
that if I secure the jmx-console.war to only posts using this in the
web.xml:

   <security-constraint>
     <web-resource-collection>
       <web-resource-name>HtmlAdaptor</web-resource-name>
       <description>An example security config that only allows users
with the
         role JBossAdmin to access the HTML JMX console web application
       </description>
       <url-pattern>/*</url-pattern>
       <http-method>POST</http-method>
     </web-resource-collection>
     <auth-constraint>
       <role-name>JBossAdmin</role-name>
     </auth-constraint>
   </security-constraint>

This disallows POSTs, but allows GETs as expected:

[starksm at succubus lib]$ wget --post-data=""
http://localhost:8080/jmx-console/
--07:48:05--  http://localhost:8080/jmx-console/
           => `index.html'
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Authorization failed.
[starksm at succubus lib]$ wget http://localhost:8080/jmx-console/
--07:48:16--  http://localhost:8080/jmx-console/
           => `index.html'
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

    [ <=>                                 ] 63,342        --.--K/s

07:48:16 (1.93 MB/s) - `index.html' saved [63342]

For the org.jboss.web.tomcat.tc6.deployers.TomcatDeployment2, GETs fail:
[starksm at succubus lib]$ wget http://localhost:8080/jmx-console/
--07:50:46--  http://localhost:8080/jmx-console/
           => `index.html.1'
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response... 401 Unauthorized

Most likely the security metadata is not getting passed in correctly.

Thomas Diesler wrote:
> Hi Remy,
> 
> An endpoint that secures POST only should still allow GET. 
> This is a very common use case in web servies since wsdl access is GET
> and web service invocation is POST.
> 
> http://jira.jboss.org/jira/browse/JBCTS-542
> 
> cheers
> -thomas
>

More information about the jbossws-dev mailing list