Web.xml security constraint on context-root doesn't apply

Question

I have a java webapp that uses web.xml to configure its security:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>webPages</web-resource-name>
        <description>All web resources</description>
        <url-pattern></url-pattern>
        <url-pattern>/admin/*</url-pattern>
        <http-method>POST</http-method>
        <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>admins</role-name>
    </auth-constraint>
    <user-data-constraint>
        <description>SSL not required</description>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>

I want all pages under /admin/* to be protected, and this works. the user correctly first sees a loginscreen, and is redirected afterwards to the original requested page.

I would also like my context root to protected: http://host:port/context/ However, when I configure the pattern <url-pattern></url-pattern> and make a request to the root, my java controller just starts working and shows the view without the user ever seeing the login screen. Why does this pattern work for things like <servlet-mapping> (to map the request to the spring servlet) but not as a security constraint?

I ttried in both chrome and firefox and restarted multiple times.

@aksappy No, because /* as a url pattern means "catch all requests", i do not want that, only the root context. For example, /otherpage.do should keep working without authorization. — user1884155, Jun 30 '16 at 13:49

score 0 · Answer 1 · edited May 23 '17 at 10:28

0

You could try white-list approach, it means giving access for public resource only.

Here is a better answer with example, but in your case should be something like this:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>webPages</web-resource-name>
    <description>All web resources</description>
    <url-pattern>/</url-pattern>
    <http-method>POST</http-method>
    <http-method>GET</http-method>
  </web-resource-collection>
  <auth-constraint>
    <role-name>admins</role-name>
  </auth-constraint>
  <user-data-constraint>
    <description>SSL not required</description>
    <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
</security-constraint>
<security-constraint>   
  <web-resource-collection>
    <web-resource-name>Public Resources</web-resource-name>
    <url-pattern>/public/*</url-pattern>
    <url-pattern>/alsopublic</url-pattern>
    <url-pattern>...an so on...</url-pattern>
  </web-resource-collection>  
  <!-- to given public access don't set auth-constraint-->
</security-constraint>

Edit: Ref to servlet 3 specification

edited May 23 '17 at 10:28

Community

1
1

answered Jul 02 '16 at 12:07

Guillermo

1,523
9
19

This doesn't work. The server correctly knows that the root is now "secured", but when it tries to redirect to the loginpage, located at /login.do, I think this request gets blocked to. After a few seconds I get an error message on the server saying the maximum amount of threads has been created, which indicates an infinite loop. Also, the your link to the servlet 3 specs doesn't work for me: I'm not authorized to perform that request it seems. – user1884155 Jul 04 '16 at 14:45
I don't understand your comment: ¿/ secure the root only like it should?. Also specify what /login.do does after login the user (eg. which redirects). – Guillermo Jul 04 '16 at 14:57
1

by declaring /, It also secures all my other content, not just the root. I think that's / is not the proper way to describe the context root. According to servlet 3.0, the correct url pattern is the empty string. – user1884155 Jul 04 '16 at 22:44

Web.xml security constraint on context-root doesn't apply

1 Answers1