-
Bug
-
Resolution: Done
-
Major
-
1.3.24.Final, 1.4.0.Final
-
None
Given the following web.xml
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" version="3.1"> <security-constraint> <web-resource-collection> <web-resource-name>Protected</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Unprotected</web-resource-name> <url-pattern>/</url-pattern> </web-resource-collection> </security-constraint> <security-role> <role-name>admin</role-name> </security-role> <login-config> <auth-method>BASIC</auth-method> <realm-name>Protected area</realm-name> </login-config> </web-app>
A login prompt is expected when accessing /any-page.jsp since "/*" requires the "admin" role. Instead, every page seems to be unprotected, due to the unchecked "/" pattern specified below. Payara/GlassFish and Tomcat show the expected behaviour.
If no role is allowed (<auth-constraint /> for the /*), every page is forbidden as expected.
I've attached a WAR that reproduces the problem.
