Tuesday, April 7, 2009

web.xml security limitations

It appears that web.xml security is kinda useless in the real world - it has few severe limitations:
  • This will not work at all (several wildcards):
    <url-pattern>/stations/*/departure/*</url-pattern>

  • This will not work as expected, because only one security constraint will be checked (both constraints work separately):

    <security-constraint>
    <display-name>Station 14 constraint</display-name>
    <web-resource-collection>
    <web-resource-name>All station 14'th resources</web-resource-name>
    <url-pattern>/stations/14/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>STATION_14</role-name>
    </auth-constraint>
    </security-constraint>

    <security-constraint>
    <display-name>View arrival constraint</display-name>
    <web-resource-collection>
    <web-resource-name>View arrival page</web-resource-name>
    <url-pattern>/stations/14/arrival/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>VIEW_ARRIVAL</role-name>
    </auth-constraint>
    </security-constraint>
Had to spend three days to figure it out :( Now I'm going to investigate Spring Security (AKA Acegi Security).