struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: [OT] - Realm Security - How to set overlapping constraints?
Date Sat, 05 Jul 2003 18:07:09 GMT


On Sat, 5 Jul 2003, Navjot Singh wrote:

> Date: Sat, 5 Jul 2003 21:39:34 +0530
> From: Navjot Singh <navjot.s@net4india.net>
> Reply-To: Struts Users Mailing List <struts-user@jakarta.apache.org>
> To: Struts Users Mailing List <struts-user@jakarta.apache.org>
> Subject: [OT] - Realm Security - How to set overlapping constraints?
>
> hi,
>
> It may be quite simple but it's not working for me.
>
> I have a set of servlets
> /myapp/p/ab.do
> /myapp/p/groups.do
> /myapp/p/contacts.do
>
> AND I want all of them to be accessible to roles "user" and "admin".
>
> There is 1 more servlet that MUST be accessible ONLY to "admin"
> /myapp/p/status.do
>
> I am setting config like given below.
> But still, "user" roles are being able to access status.do
>
> What am i doing wrong?
>
> thanks for any help
> -navjot singh
>
> __My XML Declarations__
>
> <security-constraint>
> 	<web-resource-collection>
> 	  <web-resource-name>Protected</web-resource-name>
> 	  <url-pattern>*.do</url-pattern>
> 	  <http-method>GET</http-method>
> 	  <http-method>POST</http-method>
> 	</web-resource-collection>
> 	<auth-constraint>
> 	  <role-name>user</role-name>
> 	  <role-name>admin</role-name>
> 	</auth-constraint>
> </security-constraint>

The list of security roles inside an <auth-constraint> is an *or* list, so
the container is doing exactly what you told it to do -- allow anyone with
either "user" or "admin" to access all "*.do" URLs.

>
> <security-constraint>
> 	<web-resource-collection>
> 	  <web-resource-name>Show Status</web-resource-name>
> 	  <url-pattern>/p/status.do</url-pattern>
> 	  <http-method>GET</http-method>
> 	  <http-method>POST</http-method>
> 	</web-resource-collection>
> 	<auth-constraint>
> 	  <role-name>admin</role-name>
> 	</auth-constraint>
> </security-constraint>
>

The fact that this one is second means that it will never get used,
because "/p/status.do" satisfies the matching pattern on the first test.
Try reversing your constraints.

Another alternative is to do some of the role-based protection on Struts
actions in struts-config.xml instead, by using the "role" attribute on the
<action> element.  That way, you can have just your first constraint above
(the one matching "*.do") to force people to log on, and then do fine
grained control at the Struts level.

>   <security-role>
> 	  <role-name>admin</role-name>
>   </security-role>
>
>   <security-role>
> 	  <role-name>user</role-name>
>   </security-role>
>

Craig

---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org


Mime
View raw message