The wording of section 13.4.1 on @ServletSecurity has been updated in a
number of places regarding @HttpConstraint with all default values.
For example, pg. 127:
"For the special case where an @HttpConstraint that returns all default
values1
occurs in combination with at least one @HttpMethodConstraint that returns
other than all default values, the @HttpConstraint represents that no
security
constraint is to be applied to any of the HTTP protocol methods to which a
security
constraint would otherwise apply. This exception is made to ensure that such
potentially non-specific uses of @HttpConstraint do not yield constraints
that will
explicitly establish unprotected access for such methods; given that they
would not
otherwise be covered by a constraint."
I find this language very difficult to understand and there are no explicit
examples of mappings to <security-constraint> that would help de-mystify it.
Given this annotation:
@ServletSecurity (httpMethodConstraints =
@HttpMethodConstraint(value="GET", rolesAllowed = "R1"
))
Does the wording of this section imply that the above annotation maps to a
single constraint only (leaving out the <web-resource-collection> for
brevity):
<security-constraint>
<http-method>GET</http-method>
<auth-constraint>
<role-name>R1</role-name>
</auth-constraint>
</security-constraint>
?
If so, what is the semantic difference to following the rules for mapping
to <security-constraints> outlined on pg 131/132, which would result in 2
mappings:
<security-constraint>
<http-method-omission>GET</http-method-omission>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<http-method>GET</http-method>
<auth-constraint>
<role-name>R1</role-name>
</auth-constraint>
</security-constraint>
?
Also, I cannot see from the spec how I would create an @ServletSecurity
annotation that permitted access to an authenticated user that was in any
one of the roles defined for the webapp (ie the equivalent of the special
<role-name>*</role-name>). The spec and javadoc explicitly states that
when used in @HttpConstraint rolesAllowed or @HttpMethodConstraint
rolesAllowed, the value "*" has no "special meaning" eg pg 133 and javadocs
for both annotations.
?
Jan
--
Jan Bartel <janb_at_intalio.com>
www.webtide.com – Developer advice, services and support
from the Jetty & CometD experts.