search

jakartaee / servlet

Jakarta Servlet
https://eclipse.org/ee4j/servlet
Other
262 stars 83 forks source link

Regarding url-pattern in security constraints: is there a difference between "/" and "/*"? #461

Closed fl4via closed 2 years ago

fl4via commented 2 years ago

Hi everyone!

When I read the spec, to me it is clear that / always refers to default servlet. Being that case, if I have a configuration as the one bellow, to me it would seem logic that it refers to default servlet only:

<security-constraint>
    <display-name>
        Switch from Constraint to Permission model
        (where everything is denied by default)
    </display-name>
    <web-resource-collection>
        <url-pattern>/</url-pattern>
    </web-resource-collection>
    <auth-constraint/>
</security-constraint>

While, if I used /* as my url-pattern, then I would be referring to all urls possible in my application:

<security-constraint>
    <display-name>
        Switch from Constraint to Permission model
        (where everything is denied by default)
    </display-name>
    <web-resource-collection>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint/>
</security-constraint>

However, the Java EE Tutorial states that:

If, for your web application, you do not want any resource to be accessible unless you explicitly define a constraint that permits access to it, you can define an auth-constraint that names no roles and associate it with the URL pattern /. The URL pattern / is the weakest matching pattern. Do not list any HTTP methods in this constraint

So, what exactly would a / url-pattern refer to? I think it might be worth adding some text to the spec (section 13.8) that makes this clear and, if the Java EE Tutorial is not entirely correct in its statement, fixing that as well. Thanks!

stuartwdouglas commented 2 years ago

I think this does need to be clarified, but I think the tutorial is actually correct. My logic is:

https://jakarta.ee/specifications/servlet/5.0/jakarta-servlet-spec-5.0.html#processing-requests

This section says:

When a servlet container receives a request, it shall use the algorithm described in Section 12.1, “Use of URL Paths” to select the constraints (if any) defined on the url-pattern that is the best match to the request URI.

Now this section talks about mapping requests to servlets, but in this case we are talking about mapping requests to auth constraints. Logically this would then mean that if you had an auth-constraint with / then this would become the default auth constraint that would be applied if no other auth constraints match.

@gregw @markt-asf what do you guys think?

gregw commented 2 years ago

@stuartwdouglas I agree that a security constraint mapped to "/" will match any URI not matched by other constraints. Modulo methods and the complexity of uncovered methods.

fl4via commented 2 years ago

As this issue is explained by the comments above, I'm closing it. Thank you @gregw and @stuartwdouglas for clarification!