aspose file tools*
The moose likes Servlets and the fly likes problem regarding empty auth-constraint tag Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "problem regarding empty auth-constraint tag" Watch "problem regarding empty auth-constraint tag" New topic
Author

problem regarding empty auth-constraint tag

Deep Mukherjee
Greenhorn

Joined: Jan 04, 2010
Posts: 20
I have created one jsp and called a servelt from there .My JSP contains following code

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
</head>
<body>
<form method=GET action="TestServlet">
<INPUT TYPE=SUBMIT>
</form>
</body>
</html>

I have wriiten a sysout state ment in servlet post method.I have put a security constrain in web.xml like this


<security-constraint>
<web-resource-collection>
<web-resource-name>TestWebProject</web-resource-name>
<url-pattern>/TestWebProject/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>


as my </auth-constraint> tag is blank according to defination Post method should not be invoked .But in this case it is getting called and i can see Sysout statement in console .Can any one help where i am wrong?
J. Kevin Robbins
Bartender

Joined: Dec 16, 2010
Posts: 1043
    
  13

You've constrained POST but your form is doing a GET. Once you list even a single method as constrained, all other methods are enabled for everyone.


"The good news about computers is that they do what you tell them to do. The bad news is that they do what you tell them to do." -- Ted Nelson
Kumaravadivel Subramani
Ranch Hand

Joined: Jul 05, 2008
Posts: 166

If you want to enable constrains for GET method also have entry as below,

<http-method>GET</http-method>
<http-method> POST </http-method>


No pain, No gain.
OCJP 1.6
Deep Mukherjee
Greenhorn

Joined: Jan 04, 2010
Posts: 20
I have changed the security contrain like this

<security-constraint>
<web-resource-collection>
<web-resource-name>TestWebProject</web-resource-name>
<url-pattern>/TestWebProject/</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>


Still i am able to call the Get method.
Kumaravadivel Subramani
Ranch Hand

Joined: Jul 05, 2008
Posts: 166

Can you post your whole web.xml and provide the URL in which you are accessing html file.
Rob Spoor
Sheriff

Joined: Oct 27, 2005
Posts: 19762
    
  20

Please don't paste the entire web.xml yet. First filter out everything that's not related to the servlet in question, especially other servlets.

However, I think the problem is in the URL pattern. Your form action is "TestServlet". Your URL pattern is now "/TestWebProject/"; it was "/TestWebProject/*". My guess is that "TestWebProject" is the name of the web application. URL patterns are already relative to the web application. Change your URL pattern to "/*".


SCJP 1.4 - SCJP 6 - SCWCD 5 - OCEEJBD 6
How To Ask Questions How To Answer Questions
 
wood burning stoves
 
subject: problem regarding empty auth-constraint tag