aspose file tools*
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes security-constraint not working Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "security-constraint not working" Watch "security-constraint not working" New topic
Author

security-constraint not working

Larry Olson
Ranch Hand

Joined: Feb 03, 2009
Posts: 142
Hi,

I am running tomcat application server and I am testing the security to see if it works. Here are the entries I have in the relevant files:

In tomcat-users.xml
--------------------------



In web.xml
--------------


As you could see I have intentionally ignored using the <http-method> in order to constraint every type of resource request to be authenticated. Also I have put "/*" as the url-pattern, so that every page request matching any patern would be constrained.

However when I go to any page under this web application, it doesn't prompt me for a username and password and I am freely able to access all the pages. This happens even when I try to add a "<http-method>GET</http-metod>" under the "<web-resource-collection>", where it is supposed to constraint GET requests (which is the default for most pages).

I am breaking my head over why it isn't working. Could you see any obvious flaws in the code? Please help!!! Thanks.
Piotr Nowicki
Ranch Hand

Joined: Jul 13, 2010
Posts: 610

Is this the exact code you used?

You've misspelled the word "security":



but I guess that the container wouldn't deploy such web.xml without any notice...


OCP Java SE 6 Programmer, OCM Java SE 6 Developer, OCE Java EE 6 JSPSD, OCE Java EE 6 EJBD, OCE Java EE 6 JPAD, Spring 3.0 Core Professional.
Matthew Brown
Bartender

Joined: Apr 06, 2010
Posts: 4492
    
    8

Unless it's a transcription error, the obvious flaw is that you've mis-spelled "security-constraint" in web.xml. Is that mistake present in the actual file?
Larry Olson
Ranch Hand

Joined: Feb 03, 2009
Posts: 142
I don't know how to thank you guys for catching the typo. No wonder this tells the importance of peer code review.

Once I fixed the typo everything is working as expected.

Thanks a ton guys. I wouldn't have caught this otherwise so quickly.

@pedro: I don't think the tomcat container gave any errors on encountering that typo. I suspect it was probably because the typo matched in the starting and ending tags. So may be it thinks that I introduced a new element in the deployment descriptor and it doesn't care? Let me try to introduce a random tag and see how it behaves.

Sure, I introduced a new tag like the one shown below and tomcat doesn't complain or care. It is happy and continues to work a expected:

So that explains why tomcat didn't complain when it encountered the matching security constraint tags with typo.
Piotr Nowicki
Ranch Hand

Joined: Jul 13, 2010
Posts: 610

Glad you managed to make it working :-)

So I guess that it's not checking the XML with the XSD. It's good to know!

Cheers!

Yogendra Joshi
Ranch Hand

Joined: Apr 04, 2006
Posts: 213
Larry Olson wrote:I don't know how to thank you guys for catching the typo. No wonder this tells the importance of peer code review.

Once I fixed the typo everything is working as expected.

Thanks a ton guys. I wouldn't have caught this otherwise so quickly.

@pedro: I don't think the tomcat container gave any errors on encountering that typo. I suspect it was probably because the typo matched in the starting and ending tags. So may be it thinks that I introduced a new element in the deployment descriptor and it doesn't care? Let me try to introduce a random tag and see how it behaves.

Sure, I introduced a new tag like the one shown below and tomcat doesn't complain or care. It is happy and continues to work a expected:

So that explains why tomcat didn't complain when it encountered the matching security constraint tags with typo.


Well, If you see any of sample web.xml files over the internet you would see that each web-app element starts with the DTD defination. Your web-app should though not mandatory provide the xml namespace that it is going to use, for ex :



If you type in like this, then it will definately validate the incorrect tags written by you and save you from runtime errors like the one you faced just now. Tomcat does validate it but only if you have the DTD defined like above.... Going forward have a practice of using the web-app element with DTD which will save you from errors and thus focus on your business logic...

Have a good time learning !
Yogendra Joshi
Piotr Nowicki
Ranch Hand

Joined: Jul 13, 2010
Posts: 610

Hmmm,

Yogendra, that is what I was expecting, but not what was observed. On my apache tomcat 7.0.12 the following web.xml:



didn't show any sign of making a validation of web.xml with the XML Schema defined in the namespaces...
Larry Olson
Ranch Hand

Joined: Feb 03, 2009
Posts: 142
@yogendra
Just out of laziness I put "<web-app>", but actually I have used the entire tag with the DTD you are referring to.

As Pedro confirms and as I have observed, irrespective of if you put a DTD or not, tomcat doesn't complain if you put an external random tag. Please test this for yourself on tomcat. I hope you would observe the same behavior.

Thanks.
Piotr Nowicki
Ranch Hand

Joined: Jul 13, 2010
Posts: 610

Just to make it clear - we're all referencing to the XML Schema and not the old DTD, right?
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: security-constraint not working