TitleEnhancement: tweaked web.xml
Date17-Nov-2004 05:57:43 EET
Version2.1.121-CVS
Submitter66.167.248.120
PageProvider usedN/A
CriticalityJSPWiki:EnhancementRequest
Servlet ContainerTomcat 5.0.19
Browser versionSafari
URLN/A
StatusClosedBug
Java versionSun 1.4.2_05-b04

Hi Janne --

Slight enhancement for those folks (like me) who use container-managed security. The existing security constraints in web.xml (commented-out by default) are decent, but could be tightened in some areas and loosened in others.

Below are the constraints I use, which work pretty well. They protect "write" activities like editing and uploading, but permit unauthenticated downloading of attachments. Note that /attach has a constraint that requires auth for DELETE, POST and PUT operations, but not for GET or HEAD.

   <security-constraint>
       <web-resource-collection>
           <web-resource-name>Protected Area</web-resource-name>
           <url-pattern>/Edit.jsp</url-pattern>
           <url-pattern>/LoginRedirect.jsp</url-pattern>
           <url-pattern>/Upload.jsp</url-pattern>
           <url-pattern>/UserPreferences.jsp</url-pattern>
           <http-method>GET</http-method>
           <http-method>DELETE</http-method>
           <http-method>HEAD</http-method>
           <http-method>POST</http-method>
           <http-method>PUT</http-method>
       </web-resource-collection>

       <web-resource-collection>
           <web-resource-name>Read-only Area</web-resource-name>
           <url-pattern>/attach</url-pattern>
           <http-method>DELETE</http-method>
           <http-method>POST</http-method>
           <http-method>PUT</http-method>
       </web-resource-collection>

       <auth-constraint>
           <role-name>admin</role-name>
           <role-name>user</role-name>
       </auth-constraint>

Thanks and keep up the fine work! --Andrew Jaquith


Added for 2.1.122. Good catch, I had forgotten about this. (I skipped LoginRedirect.jsp, since we don't have it :). I also left in UserPreferences.jsp, since in the future you might want to be able to do things like viewing preferences. I added Comment.jsp.)

-- JanneJalkanen

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-6) was last changed on 07-Jun-2005 15:52 by 158.228.228.108