role required in auth-constraints to trigger authentication

Mon, 19 Sep 2011 07:53:35 -0700 

<img
src="http://zdownload.zurich.com/mailimages/ZHP_MailHeader.gif"; />

Hi there

I'm working on the following task:
https://issues.apache.org/bugzilla/show_bug.cgi?id=51334

I've configured a security constraint in my web.xml but noticed that my
custom authenticator is never triggered.

        <security-constraint>
                <web-resource-collection>
                        <web-resource-name>Servlet Protected
Area</web-resource-name>
                        <url-pattern>/secureservlet/*</url-pattern>
                </web-resource-collection>
                <auth-constraint>
                </auth-constraint>
        </security-constraint>


Therefore, I've debugged the tomcat sources and found the following:

        // Since authenticate modifies the response on failure,
        // we have to check for allow-from-all first.
        boolean authRequired;
        if (constraints == null) {
            authRequired = false;
        } else {
            authRequired = true;
            for(i=0; i < constraints.length && authRequired; i++) {
                if(!constraints[i].getAuthConstraint()) {
                    authRequired = false;
                } else if(!constraints[i].getAllRoles()) {
                    String [] roles = constraints[i].findAuthRoles();
                    if(roles == null || roles.length == 0) {
                        authRequired = false;
                    }
                }
            }
        }

The following line enforces that you must have configured a auth-constraint
and list at least one role:
                    String [] roles = constraints[i].findAuthRoles();
                    if(roles == null || roles.length == 0) {
                        authRequired = false;
                    }


Why is it a requirement to configure a role in the auth-constraint?

Thanks
Oliver







******************* BITTE BEACHTEN *******************
Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet
möglicherweise vertrauliche oder gesetzlich geschützte Daten oder
Informationen. Zum Empfang derselben ist (sind) ausschliesslich die
genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht
irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter
Ausschluss jeder Reproduktion zu zerstören und die absendende Person
umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to