security-constraint for implicit welcome-file

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

security-constraint for implicit welcome-file

Basin Ilya

In Glassfish and Tomcat the following constraint protects access for both "/index.jsp" and "/" URIs, but in Jetty the latter is unprotected:

    <security-constraint>
        <display-name>Restricted</display-name>
        <web-resource-collection>
            <web-resource-name>index</web-resource-name>
            <description/>
            <url-pattern>/index.jsp</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>remembermeclient</role-name>
        </auth-constraint>
    </security-constraint>

On the other hand, Jetty seems to support the empty string url-pattern inside security-constraint, but Tomcat and Glassfish don't.

Who's right?


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: security-constraint for implicit welcome-file

Jan Bartel
Ilya,

The differences you are seeing with the handling of a security constraint for the url-pattern "/index.jsp" is most probably due to the different way Glassfish/Tomcat handles welcome files as compared to Jetty.  When Jetty receives a request for "/context-root/" and we look to see if there is a security constraint that exactly matches as per the specification Section 13.8.3 (using the algorithm specified in 12.1). Because your constraint is /index.jsp, this does not match. Jetty then dispatches the request to the welcome file mechanism via a forward - as this is a dispatch, the security constraints cannot be re-evaluated.  Most probably Glassfish/Tomcat are using a redirect instead of a forward, which will cause a 2nd request that will be evaluated against the security constraints.  If you wish, you can configure Jetty to do this too:  set the init-param "redirectWelcome" to "true" for the DefaultServlet.

As for the empty string, this is mandated by the Servlet Specification section 12.2:  
  "The empty string ("") is a special URL pattern that exactly maps to the application's context root, i.e., requests of the form http://host:port/<context-root>/.
    In this case the path info is ’ / ’ and the servlet path and context path is empty string (““)."

regards,
Jan



On Fri, 15 Mar 2019 at 00:37, Basin Ilya <[hidden email]> wrote:

In Glassfish and Tomcat the following constraint protects access for both "/index.jsp" and "/" URIs, but in Jetty the latter is unprotected:

    <security-constraint>
        <display-name>Restricted</display-name>
        <web-resource-collection>
            <web-resource-name>index</web-resource-name>
            <description/>
            <url-pattern>/index.jsp</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>remembermeclient</role-name>
        </auth-constraint>
    </security-constraint>

On the other hand, Jetty seems to support the empty string url-pattern inside security-constraint, but Tomcat and Glassfish don't.

Who's right?

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users


--
Jan Bartel <[hidden email]>
www.webtide.com
Expert assistance from the creators of Jetty and CometD


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: security-constraint for implicit welcome-file

Jan Bartel
Ilya,

A correction to my previous post. It is probable that Glassfish/Tomcat is using a container-specific mechanism to handle the welcome-file. As per the spec, Section 10.10:

"The container may send the request to the welcome resource with a forward, a redirect, or a container specific mechanism that is indistinguishable from a direct request."

In the case of a container-specific mechanism that is indistinguishable from a direct request, this implies that the security constraints would be re-evaluated.

Jetty does not have a container-specific mechanism and uses only the servlet specification mechanisms of forward or redirect.

Jan

On Tue, 19 Mar 2019 at 10:48, Jan Bartel <[hidden email]> wrote:
Ilya,

The differences you are seeing with the handling of a security constraint for the url-pattern "/index.jsp" is most probably due to the different way Glassfish/Tomcat handles welcome files as compared to Jetty.  When Jetty receives a request for "/context-root/" and we look to see if there is a security constraint that exactly matches as per the specification Section 13.8.3 (using the algorithm specified in 12.1). Because your constraint is /index.jsp, this does not match. Jetty then dispatches the request to the welcome file mechanism via a forward - as this is a dispatch, the security constraints cannot be re-evaluated.  Most probably Glassfish/Tomcat are using a redirect instead of a forward, which will cause a 2nd request that will be evaluated against the security constraints.  If you wish, you can configure Jetty to do this too:  set the init-param "redirectWelcome" to "true" for the DefaultServlet.

As for the empty string, this is mandated by the Servlet Specification section 12.2:  
  "The empty string ("") is a special URL pattern that exactly maps to the application's context root, i.e., requests of the form http://host:port/<context-root>/.
    In this case the path info is ’ / ’ and the servlet path and context path is empty string (““)."

regards,
Jan



On Fri, 15 Mar 2019 at 00:37, Basin Ilya <[hidden email]> wrote:

In Glassfish and Tomcat the following constraint protects access for both "/index.jsp" and "/" URIs, but in Jetty the latter is unprotected:

    <security-constraint>
        <display-name>Restricted</display-name>
        <web-resource-collection>
            <web-resource-name>index</web-resource-name>
            <description/>
            <url-pattern>/index.jsp</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>remembermeclient</role-name>
        </auth-constraint>
    </security-constraint>

On the other hand, Jetty seems to support the empty string url-pattern inside security-constraint, but Tomcat and Glassfish don't.

Who's right?

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users


--
Jan Bartel <[hidden email]>
www.webtide.com
Expert assistance from the creators of Jetty and CometD



--
Jan Bartel <[hidden email]>
www.webtide.com
Expert assistance from the creators of Jetty and CometD


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users