aspose file tools*
The moose likes Servlets and the fly likes problem regarding empty auth-constraint tag Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "problem regarding empty auth-constraint tag" Watch "problem regarding empty auth-constraint tag" New topic
Author

problem regarding empty auth-constraint tag

Deep Mukherjee
Greenhorn

Joined: Jan 04, 2010
Posts: 20
I have created one jsp and called a servelt from there .My JSP contains following code

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
</head>
<body>
<form method=GET action="TestServlet">
<INPUT TYPE=SUBMIT>
</form>
</body>
</html>

I have wriiten a sysout state ment in servlet post method.I have put a security constrain in web.xml like this


<security-constraint>
<web-resource-collection>
<web-resource-name>TestWebProject</web-resource-name>
<url-pattern>/TestWebProject/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>


as my </auth-constraint> tag is blank according to defination Post method should not be invoked .But in this case it is getting called and i can see Sysout statement in console .Can any one help where i am wrong?
J. Kevin Robbins
Ranch Hand

Joined: Dec 16, 2010
Posts: 632
    
    7

You've constrained POST but your form is doing a GET. Once you list even a single method as constrained, all other methods are enabled for everyone.


"There is no reason for any individual to have a computer in his home" ~ Ken Olson, Co-founder of DEC, 1977
Kumaravadivel Subramani
Ranch Hand

Joined: Jul 05, 2008
Posts: 166

If you want to enable constrains for GET method also have entry as below,

<http-method>GET</http-method>
<http-method> POST </http-method>


No pain, No gain.
OCJP 1.6
Deep Mukherjee
Greenhorn

Joined: Jan 04, 2010
Posts: 20
I have changed the security contrain like this

<security-constraint>
<web-resource-collection>
<web-resource-name>TestWebProject</web-resource-name>
<url-pattern>/TestWebProject/</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>


Still i am able to call the Get method.
Kumaravadivel Subramani
Ranch Hand

Joined: Jul 05, 2008
Posts: 166

Can you post your whole web.xml and provide the URL in which you are accessing html file.
Rob Spoor
Sheriff

Joined: Oct 27, 2005
Posts: 19543
    
  16

Please don't paste the entire web.xml yet. First filter out everything that's not related to the servlet in question, especially other servlets.

However, I think the problem is in the URL pattern. Your form action is "TestServlet". Your URL pattern is now "/TestWebProject/"; it was "/TestWebProject/*". My guess is that "TestWebProject" is the name of the web application. URL patterns are already relative to the web application. Change your URL pattern to "/*".


SCJP 1.4 - SCJP 6 - SCWCD 5 - OCEEJBD 6
How To Ask Questions How To Answer Questions
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: problem regarding empty auth-constraint tag
 
Similar Threads
authentication to support LDAP or database
Problem with Form-based Authentication ...
Can't display web app security
How to implement j_security_check
Cannot Connect to database using datasource realm