> From: André Warnier [mailto:a...@ice-sa.com]
> Subject: Re: Security Constraint conflict
>
> I suggest that the Servlet Spec be revised by a German engineer, to the
> effect that everything not specifically allowed is forbidden.
Or we could try the quantum physics interpretati
Caldarale, Charles R wrote:
From: Pid [mailto:p...@pidster.com]
Subject: Re: Security Constraint conflict
The logical union of 'no methods' and 'some methods' is 'some methods',
isn't it? But...
Yes, except the spec says the operation is *not* a union when
> From: Pid [mailto:p...@pidster.com]
> Subject: Re: Security Constraint conflict
>
> The logical union of 'no methods' and 'some methods' is 'some methods',
> isn't it? But...
Yes, except the spec says the operation is *not* a union when a con
On 21/09/2009 01:20, Caldarale, Charles R wrote:
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Subject: Re: Security Constraint conflict
On 9/18/2009 9:47 PM, Bill Barker wrote:
I haven't checked the Servlet 3 spec, but with earlier versions,
the union process is to giv
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Subject: Re: Security Constraint conflict
>
> On 9/18/2009 9:47 PM, Bill Barker wrote:
> > I haven't checked the Servlet 3 spec, but with earlier versions,
> > the union process is to give you the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Bill,
On 9/18/2009 9:47 PM, Bill Barker wrote:
> I haven't checked the Servlet 3 spec, but with earlier versions, the union
> process is to give you the *least* restrictive checking (i.e. you just have
> to pass one constraint to pass). And, yes, t
"Christopher Schultz" wrote in message
news:4ab3f5f1.5060...@christopherschultz.net...
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Peter,
>
> On 9/18/2009 4:34 PM, Peter Holcomb wrote:
>> Thanks for your response. I've read through the example in 13.7.2 of
>> the spec
>
> Which versio
My bad - I was quoting the servlet 3.0 spec (usually the headings align)
I need to reread but it might be a bug. (I dont have the spec in front
of me) but IIRC it said something to the effect of using the url + the
HTTP method to get all applicable constraints. And then unioning them
together.
I was actually looking in the 3.0 spec (here:
http://jcp.org/aboutJava/communityprocess/pr/jsr315/index.html) but I
believe the same example is available in the 2.4 spec under 12.8.2.
It's the example under "combining constraints".
I can't figure out the unioning process other than maybe it's unio
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Peter,
On 9/18/2009 4:34 PM, Peter Holcomb wrote:
> Thanks for your response. I've read through the example in 13.7.2 of
> the spec
Which version of the spec? I don't see a section 13.8 at all in either
2.4 or 2.5 of the spec. I see the heading "Com
By the way, this works as we expected in Websphere and WebLogic.
On Fri, Sep 18, 2009 at 3:34 PM, Peter Holcomb wrote:
> Tim,
>
> Thanks for your response. I've read through the example in 13.7.2 of
> the spec but I don't think I'm understanding how the union works.
> According to my thought p
Tim,
Thanks for your response. I've read through the example in 13.7.2 of
the spec but I don't think I'm understanding how the union works.
According to my thought process, the url patterns are:
*.xhtml - access precluded
/* PUT,DELETE,TRACE,OPTIONS - access precluded
How does the unioning of
See 13.8.1 of the servlet spec.
The result in is unioning all the constraints together for one that passes
It might be easier to write a filter to implement the restriction that
only GET/POST/HEAD is allowed.
-Tim
Peter Holcomb wrote:
We have a situation where we recently introduced a new s
We have a situation where we recently introduced a new security
constraint into our configuration that has caused a conflict with our
previous constraint. Here's our current configuration:
Restrict access to XHTML pages
Restrict access to XHTML pages
*.xhtml
With no roles
14 matches
Mail list logo
