[jbossws-dev] TomcatDeployment2 denied GET access although only POST is secured
Scott M Stark
sstark at redhat.com
Sat Mar 3 10:52:31 EST 2007
For the org.jboss.web.tomcat.tc6.deployers.TomcatDeployment I verified
that if I secure the jmx-console.war to only posts using this in the
web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users
with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
This disallows POSTs, but allows GETs as expected:
[starksm at succubus lib]$ wget --post-data=""
http://localhost:8080/jmx-console/
--07:48:05-- http://localhost:8080/jmx-console/
=> `index.html'
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Authorization failed.
[starksm at succubus lib]$ wget http://localhost:8080/jmx-console/
--07:48:16-- http://localhost:8080/jmx-console/
=> `index.html'
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
[ <=> ] 63,342 --.--K/s
07:48:16 (1.93 MB/s) - `index.html' saved [63342]
For the org.jboss.web.tomcat.tc6.deployers.TomcatDeployment2, GETs fail:
[starksm at succubus lib]$ wget http://localhost:8080/jmx-console/
--07:50:46-- http://localhost:8080/jmx-console/
=> `index.html.1'
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Most likely the security metadata is not getting passed in correctly.
Thomas Diesler wrote:
> Hi Remy,
>
> An endpoint that secures POST only should still allow GET.
> This is a very common use case in web servies since wsdl access is GET
> and web service invocation is POST.
>
> http://jira.jboss.org/jira/browse/JBCTS-542
>
> cheers
> -thomas
>
More information about the jbossws-dev
mailing list