1 Reply Latest reply on Feb 1, 2002 1:46 PM by andre gerard

    security constraint configuration.

    andre gerard Newbie

      Hello,

      I have already post my request on the jetty list, but someone here may be able help me.

      I am using JBoss-2.4.4 Jetty-3.1.3-1.
      I am trying to prevent access to all the pages in my site except the html pages. I have tried the following configuration but it does not seems to work.

      <security-constraint>
      <display-name>allow html</display-name>
      <web-resource-collection>
      <url-pattern>*.html</url-pattern>
      <http-method>GET</http-method>
      <http-method>HEAD</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      </security-constraint>

      <security-constraint>
      <display-name>deny all</display-name>
      <web-resource-collection>
      <url-pattern>/</url-pattern>
      </web-resource-collection>
      </security-constraint>

      I had a look in the SecurityHandler and the SecurityConstraint source files, and there are a few things which are not clear:

      in SecurityConstraint.forMethod:
      if (_methods==null)
      return true;
      I think it should be:
      if (_methods==null)
      return false;

      and in SecurityHandler.handle:
      // Check the method applies
      if (!sc.forMethod(request.getMethod()))
      continue;
      I think it should be:
      // Check the method applies
      if (sc.forMethod(request.getMethod()))
      break matches;

      I have tried to change it and it is working.

      I have just switched from apache/tomcat to jetty, so It would be nice if someone more experimented could have a look at it.

      Thanks.

      Andre.