This week's book giveaway is in the Clojure forum.
We're giving away four copies of Clojure in Action and have Amit Rathore and Francis Avila on-line!
See this thread for details.
Win a copy of Clojure in Action this week in the Clojure forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Understanding security constraint in ewb.xml

 
Vivek Jain
Ranch Hand
Posts: 34
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I've below snippet related to security constraint in my web.xml for my struts2 application. Can any one explain what it means & how does the security constraint works for below xml?



Also, we ran fortify tool & it reported that instead of blacklisting, we should put whitelist of tasks in this security constraint. Can any one tell me how to change above xml to provide whitelisting?

Thanks!
 
Tim Holloway
Saloon Keeper
Pie
Posts: 17622
39
Android Eclipse IDE Linux
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As it stands right now, you actually appear to have redundant rules. None of them grant access, and the master URL pattern "/*" would apply even if the earlier patterns had not already blocked
everything.

A whitelisting setup would defined URL patterns that determined what roles had authorization and permit access to them. Unmatched URLs would be attempted against each of the remaining patterns. If none matched, the master pattern would reject the request.
 
I agree. Here's the link: http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic