Bug report for Taglibs [2013/04/21]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |38193|Ass|Enh|2006-01-09|[RDC] BuiltIn Grammar support for Field | |38600|Ass|Enh|2006-02-10|[RDC] Enable RDCs to be used in X+V markup (X+RDC)| |42413|New|Enh|2007-05-14|[PATCH] Log Taglib enhancements | |46052|New|Nor|2008-10-21|SetLocaleSupport is slow to initialize when many l| |48333|New|Enh|2009-12-02|TLD generator | +-+---+---+--+--+ | Total5 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat 7 [2013/04/21]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |16579|New|Enh|2003-01-30|documentation page layout/style breaks wrapping to| |18500|New|Enh|2003-03-30|Host aliases to match by regular expression | |28039|Opn|Enh|2004-03-30|Cluster Support for SingleSignOn | |40728|Inf|Enh|2006-10-11|Catalina MBeans use non-serializable classes | |40881|Opn|Enh|2006-11-02|Unable to receive message through TCP channel -> | |41007|Opn|Enh|2006-11-20|Can't define customized 503 error page| |43866|New|Enh|2007-11-14|add support for session attribute propagation with| |43925|Opn|Enh|2007-11-21|org.apache.jasper.runtime.BodyContentImpl causing | |44216|New|Enh|2008-01-11|Don't reuse session ID even if emptySessionPath=tr| |48550|Inf|Enh|2010-01-14|Update examples and default server.xml to use UTF-| |49395|New|Enh|2010-06-06|manager.findLeaks : display the date when the leak| |49589|New|Enh|2010-07-12|Tag handlers with constant attribute values are al| |49785|New|Enh|2010-08-19|Enabling TLS for JNDIRealm| |49821|New|Enh|2010-08-25|Tomcat CLI| |50019|New|Enh|2010-09-28|Adding JNDI "lookup-name" support In XML and Resou| |50175|New|Enh|2010-10-28|Enhance memory leak detection by selectively apply| |50234|New|Enh|2010-11-08|JspC use servlet 3.0 features | |50504|New|Enh|2010-12-21|Allow setting query string character set trough re| |50670|New|Enh|2011-01-27|Tribes | RpcChannel | Add option to specify extern| |51195|New|Enh|2011-05-13|"Find leaks" reports a false positive memory/class| |51294|Opn|Enh|2011-05-30|Since 7.0.12 do not work option unpackWARs=true fo| |51423|Inf|Enh|2011-06-23|[Patch] to add a path and a version parameters to | |51463|New|Enh|2011-07-01|Tomcat.setBaseDir (package org.apache.catalina.st| |51496|New|Enh|2011-07-11|NSIS - Warn that duplicate service name will resul| |51526|New|Enh|2011-07-18|Process web application context config with embedd| |51587|New|Enh|2011-07-29|Implement status and uptime commands | |51953|New|Enh|2011-10-04|Proposal: netmask filtering valve and filter | |52092|New|Enh|2011-10-26|Please make AsyncFileHandler and OneLineFormatter | |52235|New|Enh|2011-11-23|Please do a bit of SEO tuning for the web site| |52323|New|Enh|2011-12-13|Cobertura test code coverage support for build.xml| |52381|New|Enh|2011-12-22|Please add OSGi metadata | |52448|New|Enh|2012-01-11|Cache jar indexes in WebappClassLoader to speed up| |52489|New|Enh|2012-01-19|Enhancement request for code signing of war files | |52558|New|Enh|2012-01-30|CometConnectionManagerValve is adding non-serializ| |52688|New|Enh|2012-02-16|Add ability to remove old access log files| |52751|Opn|Enh|2012-02-23|Optimized configuration of the system info display| |52952|New|Enh|2012-03-20|Improve ExtensionValidator handling for embedded s| |53085|New|Enh|2012-04-16|[perf] [concurrency] DefaultInstanceManager.annota| |53387|New|Enh|2012-06-08|SSI: Allow to use $1 to get result of regular expr| |53411|Opn|Enh|2012-06-13|NullPointerException in org.apache.tomcat.util.buf| |53492|New|Enh|2012-07-01|Make JspC shell multithreaded | |53553|New|Enh|2012-07-16|[PATCH] Deploy uploaded WAR with context.xml from | |53602|New|Enh|2012-07-25|Support for HTTP status code 451 | |53620|New|Enh|2012-07-30|[juli] delay opening a file until something gets l| |53665|New|Enh|2012-08-06|Minor JNDI Howto document enhancement concerning m| |53776|New|Enh|2012-08-24|Multitenancy support for JDBCRealm| |53777|New|Enh|2012-08-24|Ability to bundle JAAS Configuration in Webappp | |54013|New|Enh|2012-10-16|Catalina.sh force kill to wait till process exits | |54083|New|Enh|2012-10-31|Provide jarsToSkip on a per-webapp basis | |54178|Opn|Nor|2012-11-21|runtime exception in onComplete of AsyncListener, | |54330|New|Enh|2012-12-19|Patch with some refactoring of Member.java| |54499|
Bug report for Tomcat 8 [2013/04/21]
+---+
| Bugzilla Bug ID |
| +-+
| | Status: UNC=Unconfirmed NEW=New ASS=Assigned|
| | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) |
| | +-+
| | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major |
| | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial |
| | | +-+
| | | | Date Posted |
| | | | +--+
| | | | | Description |
| | | | | |
|51497|New|Enh|2011-07-11|Use canonical IPv6 text representation in logs|
|53737|Opn|Enh|2012-08-18|Use ServletContext.getJspConfigDescriptor() in Jas|
|53930|New|Enh|2012-09-24|allow capture of catalina stdout/stderr to a comma|
|53987|New|Enh|2012-10-09|Log uncovered HTTP methods in combined security co|
|54095|New|Enh|2012-11-03|[patch] support gzipped versions of static resourc|
|54503|New|Enh|2013-01-29|SAML2 based single sign on|
|54522|New|Nor|2013-02-04|Add patch binary as prerequisite in BUILDING.txt |
|54700|New|Enh|2013-03-15|Improvement: Add support for system property to sp|
|54708|Opn|Enh|2013-03-15|Use base file name ("ROOT") as the work directory |
|54729|New|Enh|2013-03-20|new HttpParser.parseAuthorizationBasic method |
|54741|New|Enh|2013-03-22|Add org.apache.catalina.startup.Tomcat#addWebapp(S|
|54745|New|Enh|2013-03-22|Tomcat JarScanning does not work when Tomcat start|
|54746|Opn|Maj|2013-03-24|Cannot obtain idempotent information from Session |
|54770|New|Enh|2013-03-29|Add jarsToScan properties to counteract jarsToSkip|
|54781|New|Nor|2013-04-01|NPE in WsServerContainer if there is no matching p|
|54792|New|Nor|2013-04-02|IllegalStateException with chat sample|
|54800|New|Nor|2013-04-04|Possible thread/memory leak with use of WebSocketC|
+-+---+---+--+--+
| Total 17 bugs |
+---+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat 6 [2013/04/21]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |41679|New|Enh|2007-02-22|SemaphoreValve should be able to filter on url pat| |41883|Ass|Enh|2007-03-18|use abstract wrapper instead of plain X509Certific| |43001|New|Enh|2007-07-30|JspC lacks setMappedFile and setDie for use in Ant| |43400|New|Enh|2007-09-14|enum support for tag libs | |43548|Opn|Enh|2007-10-04|xml schema for tomcat-users.xml | |43682|New|Enh|2007-10-23|JULI: web-inf/classes/logging.properties to suppor| |43742|New|Enh|2007-10-30|.tag compiles performed one at a time -- extremel| |43979|New|Enh|2007-11-27|Add abstraction for Java and Classfile output | |44199|New|Enh|2008-01-10|expose current backlog queue size | |44225|New|Enh|2008-01-14|SSL connector tries to load the private keystore f| |44294|New|Enh|2008-01-25|Support for EL functions with varargs | |44645|New|Enh|2008-03-20|[Patch] JNDIRealm - Doesn't support JNDI "java.nam| |44787|New|Enh|2008-04-09|provide more error context on "java.lang.IllegalSt| |44818|New|Enh|2008-04-13|tomcat hangs with GET when content-length is defin| |45014|New|Enh|2008-05-15|Request and Response classes should have wrappers | |45282|New|Enh|2008-06-25|NioReceiver doesn't close cleanly, leaving sockets| |45428|New|Enh|2008-07-18|warn if the tomcat stop doesn't complete | |45832|New|Enh|2008-09-18|add DIGEST authentication support to Ant tasks| |45878|New|Enh|2008-09-24|Generated jars do not contain proper manifests or | |45879|Opn|Enh|2008-09-24|Windows installer fails to install NOTICE and RELE| |45931|Opn|Enh|2008-10-01|trimSpaces incorrectly modifies output| |46173|New|Enh|2008-11-09|Small patch for manager app: Setting an optional c| |46263|New|Enh|2008-11-21|Tomcat reloading of context.xml does not update do| |46284|New|Enh|2008-11-24|Add flag to DeltaManager that blocks processing cl| |46350|New|Enh|2008-12-05|Maven repository should contain source bundles| |46558|Opn|Enh|2009-01-19|Shutdown port with address binding| |46727|New|Enh|2009-02-17|DefaultServlet - serving multiple encodings | |46902|New|Enh|2009-03-24|LoginValve to bypass restrictions of j_security_ch| |47214|New|Enh|2009-05-17|Inner classes that are explicitly referenced - sho| |47242|New|Enh|2009-05-22|request for AJP command line client | |47281|New|Enh|2009-05-28|Efficiency of the JDBCStore | |47407|New|Enh|2009-06-23|HttpSessionListener doesn't operate in the session| |47467|New|Enh|2009-07-02|Deployment of the war file by URL when contextpath| |47834|New|Enh|2009-09-14|TldConfig throws Exception when exploring unpacked| |47919|New|Enh|2009-09-30|Log Tomcat & Java environment variables in additio| |48358|Opn|Enh|2009-12-09|JSP-unloading reloaded| |48543|New|Enh|2010-01-14|[Patch] More flexibility in specifying -Dcatalina.| |48672|New|Enh|2010-02-03|Tomcat Virtual Host Manager (/host-manager) have b| |48674|New|Enh|2010-02-03|Tomcat Virtual Host Manager application doesn't pe| |48743|New|Enh|2010-02-15|Make the SLEEP variable in catalina.sh settable fr| |48899|New|Enh|2010-03-12|Guess URI charset should solve lot of problems| |48922|New|Enh|2010-03-16|org.apache.catalina.connector.Request clone static| |48928|New|Enh|2010-03-17|An alternative solution to preloading classes when| |49161|New|Enh|2010-04-21|Unknown Publisher when installing tomcat 6.0.26 | |49176|Opn|Enh|2010-04-23|Jasper in Dev Mode Is Memory Inefficient | |49464|New|Enh|2010-06-18|DefaultServlet and CharacterEncoding | |49531|New|Enh|2010-06-30|singlesignon failover not working on DeltaManager/| |49804|New|Enh|2010-08-23|Allow Embedded.redirectStreams value to be configu| |49939|New|Enh|2010-09-16|Expose a method via JMX which empties the webapp f| |49943|New|Enh|2010-09-16|Logging (via juli) does not reread configuration c| |50285|New|Enh|2010-11-17|Standard HTTP and AJP connectors silently ignore a| |50288|
Bug report for Tomcat Connectors [2013/04/21]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |34526|Opn|Nor|2005-04-19|Truncated content in decompressed requests from mo| |35959|Opn|Enh|2005-08-01|mod_jk not independant of UseCanonicalName| |43303|New|Enh|2007-09-04|Versioning under Windows not reported by many conn| |43968|Inf|Enh|2007-11-26|[patch] support ipv6 with mod_jk | |44290|Inf|Nor|2008-01-24|mod_jk/1.2.26: retry is not useful for an importan| |44349|Inf|Maj|2008-02-04|mod_jk/1.2.26 module does not read worker.status.s| |44379|New|Enh|2008-02-07|convert the output of strftime into UTF-8 | |44454|New|Nor|2008-02-19|busy count reported in mod_jk inflated, causes inc| |44571|New|Enh|2008-03-10|Limits busy per worker to a threshold | |45063|New|Nor|2008-05-22|JK-1.2.26 IIS ISAPI filter issue when running diff| |45313|New|Nor|2008-06-30|mod_jk 1.2.26 & apache 2.2.9 static compiled on so| |46337|New|Nor|2008-12-04|real worker name is wrong | |46767|New|Enh|2009-02-25|mod_jk to send DECLINED in case no fail-over tomca| |47327|New|Enh|2009-06-07|remote_user not logged in apache logfile | |47617|Inf|Enh|2009-07-31|include time spent doing ajp_get_endpoint() in err| |47678|New|Cri|2009-08-11|Unable to allocate shared memory when using isapi_| |47714|New|Cri|2009-08-20|Reponse mixed between users | |47750|New|Maj|2009-08-27|Loss of worker settings when changing via jkstatus| |47795|New|Maj|2009-09-07|service sticky_session not being set correctly wit| |47840|Inf|Min|2009-09-14|A broken worker name is written in the log file. | |48191|New|Maj|2009-11-13|Problem with mod_jk 1.2.28 - Can not render up the| |48460|New|Nor|2009-12-30|mod_proxy_ajp document has three misleading portio| |48490|New|Nor|2010-01-05|Changing a node to stopped in uriworkermap.propert| |48513|New|Enh|2010-01-09|IIS Quick setup instructions | |48564|New|Nor|2010-01-18|Unable to turn off retries for LB worker | |48830|New|Nor|2010-03-01|IIS shutdown blocked in endpoint service when serv| |48891|Opn|Enh|2010-03-11|Missing EOL-style settings in tomcat/jk/trunk | |49035|New|Maj|2010-04-01|data lost when post a multipart/form-data form| |49063|New|Enh|2010-04-07|Please add JkStripSession status in jk-status work| |49135|New|Enh|2010-04-16|SPDY Connector for The Tomcat | |49469|New|Enh|2010-06-19|Workers status page has negative number of connect| |49732|Opn|Nor|2010-08-10|reply_timeout can't wait forever. | |49822|New|Enh|2010-08-25|Add hash lb worker method | |49903|New|Enh|2010-09-09|Make workers file reloadable | |50186|New|Nor|2010-10-31|Wrong documentation of connection_pool_timeout / c| |52334|New|Maj|2011-12-14|recover_time is not properly used | |52483|New|Enh|2012-01-18|Print JkOptions's options in log file and jkstatus| |52651|New|Nor|2012-02-13|JKSHMFile size limitation | |53324|Opn|Nor|2012-05-30|Starting with mod_jk 1.2.35 I cannot modify worker| |53542|New|Min|2012-07-13|Spelling mistake on 503 service unavailable page | |53762|New|Nor|2012-08-22|JK status manager: mass nodes handling doesn't wor| |53883|New|Maj|2012-09-17|isapi_redirect v 1.2.37 crashes w3wp.exe on the p| |53977|New|Maj|2012-10-07|32bits isapi connector cannot work in wow64 mode | |54027|New|Cri|2012-10-18|isapi send request to outside address instead of i| |54112|Opn|Blk|2012-11-07|ISAPI redirector not working when IIS recycles| |54117|New|Maj|2012-11-08|access violation exception in isapi_redirect.dll | |54177|New|Nor|2012-11-20|jkmanager generates non-well-formed XML for certai| |54596|New|Nor|2013-02-22|Relative paths truncates last character of values | |54621|New|Nor|2013-02-28|[PATCH] custom mod_jk availability checks | |54646|New|Trv|2013-03-06|socket_keepalive is sometimes 1 or true or True in| +-+---+---+--+--+ | Total
Bug report for Tomcat Native [2013/04/21]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |46179|Opn|Maj|2008-11-10|apr ssl client authentication | |48655|Inf|Nor|2010-02-02|Active multipart downloads prevent tomcat shutdown| |49038|Inf|Nor|2010-04-02|Crash in tcnative | |51655|New|Nor|2011-08-12|Index page does not say what native does | |51813|New|Cri|2011-09-14|Tomcat randomly crashes with [libtcnative-1.so.1+0| |52153|New|Maj|2011-11-08|periodic JVM crash (access violation) on buffer fl| |52231|New|Nor|2011-11-23|Ant Tasks need to reflect changes in manager comma| |52319|New|Maj|2011-12-12|Tomcat 6 crashes with [libapr-1.so.0+0x196da] sig| |52627|New|Min|2012-02-08|Segmentation fault in org.apache.tomcat.jni.File.i| |53110|New|Cri|2012-04-20|Access Violation Error while creating SHM | |53605|New|Nor|2012-07-26|use tcnative-1.1.24 Tomcat shutdown still crash | |53847|Inf|Nor|2012-09-10|High CPU usage in tomcat native 1.22+ | |53937|New|Reg|2012-09-26|Double call to apr_pool_destroy() if OCSP checking| |53940|New|Enh|2012-09-27|Added support for new CRL loading after expiration| |53952|New|Nor|2012-10-02|Add support for TLS 1.1 and 1.2 | |54085|New|Nor|2012-11-01|ssl_socket_recv sometimes loops infinitely with no| |54664|New|Reg|2013-03-11|[1.1.27 branch] Poll.remove incorrectly reports AP| +-+---+---+--+--+ | Total 17 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat Modules [2013/04/21]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |48240|New|Nor|2009-11-19|Tomcat-Lite missing @Override markers | |48268|New|Nor|2009-11-23|Patch to fix generics in tomcat-lite | |48861|New|Nor|2010-03-04|Files without AL headers | |49685|New|Nor|2010-08-02|Unsafe synchronization in class ManagedBean | |49686|New|Nor|2010-08-02|Using an instance lock to protect static shared da| |50571|Inf|Nor|2011-01-11|Tomcat 7 JDBC connection pool exception enhancemen| |51595|Inf|Nor|2011-08-01|org.apache.tomcat.jdbc.pool.jmx.ConnectionPool sho| |51879|Inf|Enh|2011-09-22|Improve access to Native Connection Methods | |52024|Inf|Enh|2011-10-13|Custom interceptor to support automatic failover o| |53088|Opn|Min|2012-04-17|Give PoolCleaner TimerTask a better name | |53198|New|Cri|2012-05-07|'driverClassName' Data Source Property Being Manda| |53199|Inf|Enh|2012-05-07|Refactor ConnectionPool to use ScheduledExecutorSe| |53200|New|Enh|2012-05-07|Be able to use SlowQueryReport without reporting f| |53770|New|Enh|2012-08-23|tomcat-pool: always log validation query syntax er| |53853|New|Nor|2012-09-11|Can tomcat-jdbc consider Thread#getContextClassLoa| |54225|New|Nor|2012-11-30|if initSQL property is set to an empty string a Nu| |54227|New|Nor|2012-11-30|maxAge should be checked on borrow| |54235|New|Nor|2012-12-03|tomcat jdbc pool stackoverflow error used with spr| |54395|New|Nor|2013-01-09|JdbcInterceptor config parameter parsing errors | |54437|New|Enh|2013-01-16|Update PoolProperties javadoc for ConnectState int| |54537|New|Cri|2013-02-07|StatementFinalizer closeInvoked is too slow for la| |54693|New|Enh|2013-03-13|Add a validationQueryTimeout property | +-+---+---+--+--+ | Total 22 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: and security constraints
On Apr 19, 2013, at 11:04 PM, David Jencks wrote: > IMO you have misinterpreted roles in the ee specs. The specs including the > servlet spec define application roles and base the declarative security > constraints on them. Then you can map strings that bits of the application > like, at least ejbs and servlets, to these declared security roles using a > security-role-ref. The role-link has to be one of the declared application > roles. For web apps the security-role-ref is defined on servlets. The > application roles no matter where defined are scoped to the entire > application not just one web app or web fragment. If a security-role-ref is > not defined for a string, and you call isUserInRole with that string, the > string is assumed to be a defined application role. Mark does bring up a gap here though. Before 3.0, the only reference to a role from code would be in the parameter value passed to isUserInRole(), and the assembler was responsible for listing all of those in web.xml; the deployer was responsible for linking them to actual roles in elements, and then linking those to groups/principals in the authorization system in a container-specific manner. Declarative security (security-constraint/auth-constraint) did not require a linkage mechanism as the deployer could modify the value in the declaration in web.xml. With 3.0 annotations, however, the auth-constraint is now declared in code and the deployer has no mechanism to link its roleNames() to an actual role. Option b) sounds like a potential solution but as you say that is not something the spec currently allows. The spec could be extended to allow this, and I think that would even be a compatible change given the existing requirement for to default to a with the same name if no explicit link is specified. There is a scoping issue for role ref names but that is not new - 2.x libraries can also conflict by using the same value in calls to isUserInRole(). > Based on the JACC WebRoleRefPermission, where the constructor arguments are > the servlet name and the role name, I've concluded that the a filter gets the > same isUserInRole behavior as the servlet the request ends up at after going > through the filter. I think this is a satisfactory solution, and it's passed > quite a few ee tcks by now. It's also quite easy to implement :-). I think > talking to Ron Monzilla if you disagree with it would be the way to go. As the spec stands with /@DeclareRoles only allowed on Servlets and not on Filters I'd come to the same conclusion. It is a weird coupling though as the role reference is made by the filter and not the servlet, the servlet author does not know a-priori what filters will be applied or vice versa. Again, more of an issue now we have annotation based config. IMO, getting the spec to clarify this, and potentially allowing filters to declare role references would be useful. I've assumed the same model would apply for calls to isUserInRole() from within listeners e.g. request or request attribute? Or from within an extension-mapped servlet like the JSP servlet? > Then you presumably have an external security system such as ldap with some > defined entities such as groups, and these usually get represented as > Principals, perhaps in a Subject.. These are not application roles. You > need to map the externally defined entities to the application roles. +1, although falling back to mapping application roles to groups in the absence of configuration by the deployer is temptingly convenient (although with the "new-group" problem you mention). ... > On Apr 19, 2013, at 2:28 PM, Mark Thomas wrote: ... >> >> Tomcat's current behaviour looks to be specification compliant but there >> appears to me to be an issue here the the Servlet EG needs to address. >> Before I move this issue there what do folks think about this? Is there >> an issue or am I missing the obvious? Seems to me there's ambiguity there that would be worth clarifying. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: and security constraints
On Apr 21, 2013, at 3:56 PM, Jeremy Boynes wrote: > On Apr 19, 2013, at 11:04 PM, David Jencks wrote: >> IMO you have misinterpreted roles in the ee specs. The specs including the >> servlet spec define application roles and base the declarative security >> constraints on them. Then you can map strings that bits of the application >> like, at least ejbs and servlets, to these declared security roles using a >> security-role-ref. The role-link has to be one of the declared application >> roles. For web apps the security-role-ref is defined on servlets. The >> application roles no matter where defined are scoped to the entire >> application not just one web app or web fragment. If a security-role-ref is >> not defined for a string, and you call isUserInRole with that string, the >> string is assumed to be a defined application role. > > Mark does bring up a gap here though. Before 3.0, the only reference to a > role from code would be in the parameter value passed to isUserInRole(), and > the assembler was responsible for listing all of those in web.xml; the > deployer was responsible for linking them to actual roles in > elements, and then linking those to groups/principals in the authorization > system in a container-specific manner. Declarative security > (security-constraint/auth-constraint) did not require a linkage mechanism as > the deployer could modify the value in the declaration in > web.xml. With 3.0 annotations, however, the auth-constraint is now declared > in code and the deployer has no mechanism to link its roleNames() to an > actual role. Not quite following you here. I thought you'd declare all your roles using the @DeclareRoles annotation or in @AllowRoles inside constraints. These are equivalent to elements in web.xml. If for some reason you don't like the role names in the annotations you can always override them in web.xml just like you can override other non-cdi annotations. Otherwise the deployer can link the principal names to the role names just like with web.xml. > > > Option b) sounds like a potential solution but as you say that is not > something the spec currently allows. The spec could be extended to allow > this, and I think that would even be a compatible change given the existing > requirement for to default to a with the > same name if no explicit link is specified. How is this different from the existing possibility to define a proprietary mapping between principal names and application role names? thanks david jencks > > There is a scoping issue for role ref names but that is not new - 2.x > libraries can also conflict by using the same value in calls to > isUserInRole(). > >> Based on the JACC WebRoleRefPermission, where the constructor arguments are >> the servlet name and the role name, I've concluded that the a filter gets >> the same isUserInRole behavior as the servlet the request ends up at after >> going through the filter. I think this is a satisfactory solution, and it's >> passed quite a few ee tcks by now. It's also quite easy to implement :-). >> I think talking to Ron Monzilla if you disagree with it would be the way to >> go. > > As the spec stands with /@DeclareRoles only allowed on > Servlets and not on Filters I'd come to the same conclusion. It is a weird > coupling though as the role reference is made by the filter and not the > servlet, the servlet author does not know a-priori what filters will be > applied or vice versa. Again, more of an issue now we have annotation based > config. IMO, getting the spec to clarify this, and potentially allowing > filters to declare role references would be useful. > > I've assumed the same model would apply for calls to isUserInRole() from > within listeners e.g. request or request attribute? Or from within an > extension-mapped servlet like the JSP servlet? > >> Then you presumably have an external security system such as ldap with some >> defined entities such as groups, and these usually get represented as >> Principals, perhaps in a Subject.. These are not application roles. You >> need to map the externally defined entities to the application roles. > +1, although falling back to mapping application roles to groups in the > absence of configuration by the deployer is temptingly convenient (although > with the "new-group" problem you mention). > ... >> On Apr 19, 2013, at 2:28 PM, Mark Thomas wrote: > ... >>> >>> Tomcat's current behaviour looks to be specification compliant but there >>> appears to me to be an issue here the the Servlet EG needs to address. >>> Before I move this issue there what do folks think about this? Is there >>> an issue or am I missing the obvious? > > Seems to me there's ambiguity there that would be worth clarifying. > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@to
