security constraint configuration.

g_andre Feb 1, 2002 12:58 PM

Hello,

I have already post my request on the jetty list, but someone here may be able help me.

I am using JBoss-2.4.4 Jetty-3.1.3-1.
I am trying to prevent access to all the pages in my site except the html pages. I have tried the following configuration but it does not seems to work.

<security-constraint>
<display-name>allow html</display-name>
<web-resource-collection>
<url-pattern>*.html</url-pattern>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>

<security-constraint>
<display-name>deny all</display-name>
<web-resource-collection>
<url-pattern>/</url-pattern>
</web-resource-collection>
</security-constraint>

I had a look in the SecurityHandler and the SecurityConstraint source files, and there are a few things which are not clear:

in SecurityConstraint.forMethod:
if (_methods==null)
return true;
I think it should be:
if (_methods==null)
return false;

and in SecurityHandler.handle:
// Check the method applies
if (!sc.forMethod(request.getMethod()))
continue;
I think it should be:
// Check the method applies
if (sc.forMethod(request.getMethod()))
break matches;

I have tried to change it and it is working.

I have just switched from apache/tomcat to jetty, so It would be nice if someone more experimented could have a look at it.

Thanks.

Andre.

1. Re: security constraint configuration.

g_andre Feb 1, 2002 1:46 PM (in response to g_andre)

After more investigation one test is missing in SecurityHandler.handle: ( sc.getMethods().size()==0 )

Here is the corrected code
// Does this forbid everything?
if ( ( sc.getMethods().size()==0 ) && !sc.isAuthenticated() && !sc.hasDataConstraint())

The previous changes are not needed.
Actions