[jetty-users] security-constraint for implicit welcome-file

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-users] security-constraint for implicit welcome-file

From: Basin Ilya <basinilya@xxxxxxxxx>
Date: Thu, 14 Mar 2019 16:37:30 +0300
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.3

In Glassfish and Tomcat the following constraint protects access for both "/index.jsp" and "/" URIs, but in Jetty the latter is unprotected:

    <security-constraint>
        <display-name>Restricted</display-name>
        <web-resource-collection>
            <web-resource-name>index</web-resource-name>
            <description/>
            <url-pattern>/index.jsp</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>remembermeclient</role-name>
        </auth-constraint>
    </security-constraint>

On the other hand, Jetty seems to support the empty string url-pattern inside security-constraint, but Tomcat and Glassfish don't.

Who's right?

Follow-Ups:
- Re: [jetty-users] security-constraint for implicit welcome-file
  - From: Jan Bartel

Prev by Date: Re: [jetty-users] embedded welcomefiles+http2-push+gzip-static-content+rest-api configuration
Next by Date: Re: [jetty-users] HOT deployment doesn't support static object repalce
Previous by thread: [jetty-users] HOT deployment doesn't support static object repalce
Next by thread: Re: [jetty-users] security-constraint for implicit welcome-file
Index(es):
- Date
- Thread

Breadcrumbs