Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

Tuesday, April 7, 2009

web.xml security limitations

It appears that web.xml security is kinda useless in the real world - it has few severe limitations:
  • This will not work at all (several wildcards):
    <url-pattern>/stations/*/departure/*</url-pattern>

  • This will not work as expected, because only one security constraint will be checked (both constraints work separately):

    <security-constraint>
    <display-name>Station 14 constraint</display-name>
    <web-resource-collection>
    <web-resource-name>All station 14'th resources</web-resource-name>
    <url-pattern>/stations/14/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>STATION_14</role-name>
    </auth-constraint>
    </security-constraint>

    <security-constraint>
    <display-name>View arrival constraint</display-name>
    <web-resource-collection>
    <web-resource-name>View arrival page</web-resource-name>
    <url-pattern>/stations/14/arrival/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>VIEW_ARRIVAL</role-name>
    </auth-constraint>
    </security-constraint>
Had to spend three days to figure it out :( Now I'm going to investigate Spring Security (AKA Acegi Security).
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)