[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
[jetty-dev] Fix to ConstraintSecurityHandler
|
Hi David,
I've checked in a small fix to the ConstraintSecurityHandler class,
jetty eclipse svn rev 149.
A web security constraint specifying particular methods was resulting
in null being returned from prepareConstraintInfo(), thus the authentication
was never triggered.
The web.xml was:
<security-constraint>
<web-resource-collection>
<web-resource-name>Blah</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Foo Realm</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
Looks like a simple bug, and this is my fix:
String httpMethod = request.getMethod();
RoleInfo roleInfo = mappings.get(httpMethod);
if (roleInfo == null)
- {
roleInfo = mappings.get(null);
- if (roleInfo != null)
- {
- return roleInfo;
- }
- }
+ return roleInfo;
}
+
return null;
}
Just wanted to run it past you to make sure there's not something
I've missed.
Oh, and I modified the ConstraintTest just a little as well to
include a test for specifying a http method in the constraints.
cheers
Jan
--
Jan Bartel, Webtide LLC | janb@xxxxxxxxxxx | http://www.webtide.com