DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25796>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25796 Multiple security-contraint entries in web.xml lead to too-restrictive behaviour Summary: Multiple security-contraint entries in web.xml lead to too-restrictive behaviour Product: Tomcat 5 Version: 5.0.16 Platform: PC OS/Version: Windows XP Status: NEW Severity: Normal Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] I have a web.xml containing two security constraints: <security-constraint> <web-resource-collection> <web-resource-name>PublicPages</web-resource-name> <url-pattern>/AccountMan.do</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>UserPages</web-resource-name> <url-pattern>*.do</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>xsap_ebiz_user</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> The idea is that all *.do URLs are protected, with the exception of AccountMan.do which is publicly visible (no auth-constraint). This works fine on Tomcat 4.1-29 and on SAP J2EE Engine 6.20. In Tomcat 5.0-16 and 5.0-14 (the only releases I have tested), attempting to access AccountMan.do brings up the login page instead of going straight to the page itself (a Struts forward to a Tiles definition). This behaviour contradicts the Servlet 2.4 spec, SRV.12.8.1 Combining Constraints: "A security constraint that does not contain an authorization constraint shall combine with authorization constraints that name or imply roles to allow unauthenticated access." Cheers, Darren Hague P.S. This is my first bugzilla report - please let me know if I could have done anything better. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
