Details
-
Bug
-
Resolution: Done
-
Major
-
1.0.0.Alpha19
-
None
Description
According to the spec, when matching security constraints to resources, the container must consider all defined url patterns and match them according to the same rules as matching servlet url patterns.
Undertow isn't handling precedence rules. I'm attaching a web app to reproduce the problem.
Given this constraint:
<security-constraint> <web-resource-collection> <web-resource-name>Unlimited Access</web-resource-name> <url-pattern>/unprotected/*</url-pattern> </web-resource-collection> </security-constraint> <security-constraint> <auth-constraint> <role-name>admin</role-name> </auth-constraint> <web-resource-collection> <url-pattern>*.jsp</url-pattern> </web-resource-collection> </security-constraint>
Every *.jsp should be protected unless it is in the /unprotected directory.
This is because the precedence rules state that the container should consider path mapping before extension mapping.
So http://localhost:8080/precedence/index.jsp should throw up a login challenge, but http://localhost:8080/precedence/unprotected/unprotected.jsp should not.
Undertow presents a challenge for both requests. JBossWeb handles it correctly.