• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

"auth-constraint" tag

 
Ranch Hand
Posts: 73
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi friends....How do u do?

I have a doubt regagrding security....

When we specify following two <auth-constraint> tags for a single web resource what happends?

1)<auth-constarint/>
2)<auth-constarint>*</auth-constarint>

In HFSJ they r saying that nobody can access the resource when one of them is <auth-constarint/>, but it is giving access to all....i.e it is always the union of two things...

What's your opinion friends?
[ March 23, 2006: Message edited by: Mahendar Reddy ]
 
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

Have you tested it. if yes, can you place full <security-constraint> entry from your web.xml here.

Thanks
 
Ranch Hand
Posts: 290
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

Isn�t it supposed to work fine only when you have two <web-resource.collection> tags specified rather than one?

tks.
 
Narendra Dhande
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

Basically container union all the roles under <auth-constraint> for the matching URL and http method, inrespective of the <web-resource-collection>. The Special case is for the matching resource, if one of the <auth-constraint> is empty i.e. there is entry <auth-constraint/>, then the access is precluded for all users.

Thanks
 
Mahendar Reddy
Ranch Hand
Posts: 73
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Narendra...

Here is the web.xml :--


<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">

<servlet>

<servlet-class>servlet1</servlet-class>
<servlet-name>s1</servlet-name>
<init-param>
<param-name>param10</param-name>
<param-value>param10</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>s1</servlet-name>
<url-pattern>/el</url-pattern>
</servlet-mapping>

<servlet>
<servlet-name>s2</servlet-name>
<servlet-class>jstl</servlet-class>
</servlet>

<servlet-mapping>
<servlet-name>s2</servlet-name>
<url-pattern>/jstl</url-pattern>
</servlet-mapping>

<servlet>
<servlet-name>test1</servlet-name>
<jsp-file>/test1.jsp</jsp-file>
<init-param>
<param-name>param1</param-name>
<param-value>JSPparam1</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>test1</servlet-name>
<url-pattern>/test1.jsp</url-pattern>
</servlet-mapping>

<context-param>
<param-name>param2</param-name>
<param-value>param12</param-value>
</context-param>

<!-- Security Issues-->
<security-role>
<role-name>admin</role-name>
</security-role>

<security-constraint>
<web-resource-collection>
<url-pattern>/el/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<web-resource-name>WR1</web-resource-name>
</web-resource-collection>

<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>

</security-constraint>

<security-constraint>
<web-resource-collection>
<url-pattern>/el/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<web-resource-name>WR2</web-resource-name>
</web-resource-collection>

<auth-constraint/>

</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
</login-config>


</web-app>



It is giving access to 'admin' role...

Jsut concentrate on security tags...By the way I am using Tomcat 5.0

Thanks for ur reply...
[ March 27, 2006: Message edited by: Mahendar Reddy ]
 
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have got the same questions, anybody knows answer to this ?
Who would have access ? ALL or NONE ?
 
Steven Colley
Ranch Hand
Posts: 290
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Theorically NONE cause of "<auth-constraint />", .

Did you give a try to use another <auth-method> value for <login-config> issue?

regargs,
 
Ranch Hand
Posts: 40
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

Were you saying that it gave the admin access to /el/*?
 
Narendra Dhande
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Mahender

I also tested the same on tomcat 5.5.7. It is giving access to admin user.

Also I tested it on the Sun Java System Application Server 8.1. It require the following changes in your web.xml, as it validate the web.xml and the order of subelement under <security-constarint> is important.



In this testing it is not even giving me the Basic auth screen to enter the username and password. It only give the forbidden message for this resourse.
http://localhost:6060/test1/el

For the another resources not matching the above url-pattern it is working fine.

So, I think it is tomcat problem. Our assumption that id <auth-constraint/> occurs, then the access is forbidden to all user for that resource is true.

I request someone to check on other commercial platform and comment on it.

Thanks
[ March 27, 2006: Message edited by: Narendra Dhande ]
 
Steven Colley
Ranch Hand
Posts: 290
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Folks, I was taking a look at the Servlet Spec and noticed that there is a sample the guys are using the same name for <web-resource-NAME> when they specify different <auth-constraint> tags for two <security-constranit>.

Source: Servlet Spec - Security Charpter (Topic: "Combining Constraints"), page 98 and 99.

What do u think to give it a try?

regards,
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic