[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jetty-dev] Fix to ConstraintSecurityHandler

Hi David,

I've checked in a small fix to the ConstraintSecurityHandler class,
jetty eclipse svn rev 149.

A web security constraint specifying particular methods was resulting
in null being returned from prepareConstraintInfo(), thus the authentication
was never triggered.

The web.xml was:

<security-constraint>
   <web-resource-collection>
     <web-resource-name>Blah</web-resource-name>
     <url-pattern>/*</url-pattern>
     <http-method>GET</http-method>
     <http-method>POST</http-method>
   </web-resource-collection>
   <auth-constraint>
     <role-name>admin</role-name>
   </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Foo Realm</realm-name>
</login-config>

<security-role>
    <role-name>admin</role-name>
</security-role>

Looks like a simple bug, and this is my fix:
             String httpMethod = request.getMethod();
             RoleInfo roleInfo = mappings.get(httpMethod);
             if (roleInfo == null)
-            {
                 roleInfo = mappings.get(null);
-                if (roleInfo != null)
-                {
-                    return roleInfo;
-                }
-            }
+            return roleInfo;
         }
+       
         return null;
     }

Just wanted to run it past you to make sure there's not something
I've missed.

Oh, and I modified the ConstraintTest just a little as well to
include a test for specifying a http method in the constraints.

cheers
Jan
-- 
Jan Bartel, Webtide LLC | janb@xxxxxxxxxxx | http://www.webtide.com