Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] security-constraint for implicit welcome-file

Ilya,

The differences you are seeing with the handling of a security constraint for the url-pattern "/index.jsp" is most probably due to the different way Glassfish/Tomcat handles welcome files as compared to Jetty.  When Jetty receives a request for "/context-root/" and we look to see if there is a security constraint that exactly matches as per the specification Section 13.8.3 (using the algorithm specified in 12.1). Because your constraint is /index.jsp, this does not match. Jetty then dispatches the request to the welcome file mechanism via a forward - as this is a dispatch, the security constraints cannot be re-evaluated.  Most probably Glassfish/Tomcat are using a redirect instead of a forward, which will cause a 2nd request that will be evaluated against the security constraints.  If you wish, you can configure Jetty to do this too:  set the init-param "redirectWelcome" to "true" for the DefaultServlet.

As for the empty string, this is mandated by the Servlet Specification section 12.2:  
  "The empty string ("") is a special URL pattern that exactly maps to the application's context root, i.e., requests of the form http://host:port/<context-root>/.
    In this case the path info is ’ / ’ and the servlet path and context path is empty string (““)."

regards,
Jan



On Fri, 15 Mar 2019 at 00:37, Basin Ilya <basinilya@xxxxxxxxx> wrote:

In Glassfish and Tomcat the following constraint protects access for both "/index.jsp" and "/" URIs, but in Jetty the latter is unprotected:

    <security-constraint>
        <display-name>Restricted</display-name>
        <web-resource-collection>
            <web-resource-name>index</web-resource-name>
            <description/>
            <url-pattern>/index.jsp</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>remembermeclient</role-name>
        </auth-constraint>
    </security-constraint>

On the other hand, Jetty seems to support the empty string url-pattern inside security-constraint, but Tomcat and Glassfish don't.

Who's right?

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users


--
Jan Bartel <janb@xxxxxxxxxxx>
www.webtide.com
Expert assistance from the creators of Jetty and CometD


Back to the top