aspose file tools
The moose likes Tomcat and the fly likes Understanding security constraint in ewb.xml Big Moose Saloon
  Search | Java FAQ | Recent Topics
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Reply Bookmark "Understanding security constraint in ewb.xml" Watch "Understanding security constraint in ewb.xml" New topic
Author

Understanding security constraint in ewb.xml

Vivek Jain
Ranch Hand

Joined: Oct 17, 2007
Posts: 34
posted private message
0
Quote
Hi,

I've below snippet related to security constraint in my web.xml for my struts2 application. Can any one explain what it means & how does the security constraint works for below xml?



Also, we ran fortify tool & it reported that instead of blacklisting, we should put whitelist of tasks in this security constraint. Can any one tell me how to change above xml to provide whitelisting?

Thanks!
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 14491
    
    7

I like...
Android Eclipse IDE Linux
posted private message
0
Quote
As it stands right now, you actually appear to have redundant rules. None of them grant access, and the master URL pattern "/*" would apply even if the earlier patterns had not already blocked
everything.

A whitelisting setup would defined URL patterns that determined what roles had authorization and permit access to them. Unmatched URLs would be attempted against each of the remaining patterns. If none matched, the master pattern would reject the request.

Customer surveys are for companies who didn't pay proper attention to begin with.
 
I agree. Here's the link: http://ej-technologies/jprofiler - if it wasn't for jprofiler, we would need to run our stuff on 16 servers instead of 3.
 
subject: Understanding security constraint in ewb.xml
 
Similar Threads
Issue with -Xauthfile execution in wsimport tool(JAX-RI)
If http-method is not specified, then nobody can access the resource ?
Preventing access to JSP's without authenticating.
auth constraint
Allow index.jsp but disallow access to any other jsp's