wood burning stoves 2.0*
The moose likes Servlets and the fly likes problem regarding empty auth-constraint tag Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "problem regarding empty auth-constraint tag" Watch "problem regarding empty auth-constraint tag" New topic
Author

problem regarding empty auth-constraint tag

Deep Mukherjee
Greenhorn

Joined: Jan 04, 2010
Posts: 20
I have created one jsp and called a servelt from there .My JSP contains following code

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
</head>
<body>
<form method=GET action="TestServlet">
<INPUT TYPE=SUBMIT>
</form>
</body>
</html>

I have wriiten a sysout state ment in servlet post method.I have put a security constrain in web.xml like this


<security-constraint>
<web-resource-collection>
<web-resource-name>TestWebProject</web-resource-name>
<url-pattern>/TestWebProject/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>


as my </auth-constraint> tag is blank according to defination Post method should not be invoked .But in this case it is getting called and i can see Sysout statement in console .Can any one help where i am wrong?
J. Kevin Robbins
Bartender

Joined: Dec 16, 2010
Posts: 842
    
  13

You've constrained POST but your form is doing a GET. Once you list even a single method as constrained, all other methods are enabled for everyone.


"The good news about computers is that they do what you tell them to do. The bad news is that they do what you tell them to do." -- Ted Nelson
Kumaravadivel Subramani
Ranch Hand

Joined: Jul 05, 2008
Posts: 166

If you want to enable constrains for GET method also have entry as below,

<http-method>GET</http-method>
<http-method> POST </http-method>


No pain, No gain.
OCJP 1.6
Deep Mukherjee
Greenhorn

Joined: Jan 04, 2010
Posts: 20
I have changed the security contrain like this

<security-constraint>
<web-resource-collection>
<web-resource-name>TestWebProject</web-resource-name>
<url-pattern>/TestWebProject/</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>


Still i am able to call the Get method.
Kumaravadivel Subramani
Ranch Hand

Joined: Jul 05, 2008
Posts: 166

Can you post your whole web.xml and provide the URL in which you are accessing html file.
Rob Spoor
Sheriff

Joined: Oct 27, 2005
Posts: 19655
    
  18

Please don't paste the entire web.xml yet. First filter out everything that's not related to the servlet in question, especially other servlets.

However, I think the problem is in the URL pattern. Your form action is "TestServlet". Your URL pattern is now "/TestWebProject/"; it was "/TestWebProject/*". My guess is that "TestWebProject" is the name of the web application. URL patterns are already relative to the web application. Change your URL pattern to "/*".


SCJP 1.4 - SCJP 6 - SCWCD 5 - OCEEJBD 6
How To Ask Questions How To Answer Questions
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: problem regarding empty auth-constraint tag
 
Similar Threads
Can't display web app security
authentication to support LDAP or database
Problem with Form-based Authentication ...
Cannot Connect to database using datasource realm
How to implement j_security_check