Title | Enhancement: tweaked web.xml |
Date | 17-Nov-2004 05:57:43 EET |
Version | 2.1.121-CVS |
Submitter | 66.167.248.120 |
PageProvider used | N/A |
Criticality | JSPWiki:EnhancementRequest![]() |
Servlet Container | Tomcat 5.0.19 |
Browser version | Safari |
URL | N/A |
Status | ClosedBug |
Java version | Sun 1.4.2_05-b04 |
Hi Janne --
Slight enhancement for those folks (like me) who use container-managed security. The existing security constraints in web.xml (commented-out by default) are decent, but could be tightened in some areas and loosened in others.
Below are the constraints I use, which work pretty well. They protect "write" activities like editing and uploading, but permit unauthenticated downloading of attachments. Note that /attach has a constraint that requires auth for DELETE, POST and PUT operations, but not for GET or HEAD.
<security-constraint> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/Edit.jsp</url-pattern> <url-pattern>/LoginRedirect.jsp</url-pattern> <url-pattern>/Upload.jsp</url-pattern> <url-pattern>/UserPreferences.jsp</url-pattern> <http-method>GET</http-method> <http-method>DELETE</http-method> <http-method>HEAD</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> <web-resource-collection> <web-resource-name>Read-only Area</web-resource-name> <url-pattern>/attach</url-pattern> <http-method>DELETE</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> <role-name>user</role-name> </auth-constraint>
Thanks and keep up the fine work! --Andrew Jaquith
Added for 2.1.122. Good catch, I had forgotten about this. (I skipped LoginRedirect.jsp, since we don't have it :). I also left in UserPreferences.jsp, since in the future you might want to be able to do things like viewing preferences. I added Comment.jsp.)