[securityfilter-devel] Choosing a matching security-constraint

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,

I've been looking at the url-pattern matching code in securityfilter,
attempting to simplify it a bit, and making sure that it matches the 2.5
specification.

I think we may have a problem with interpretation of section 12.7.3:

"
SRV.12.7.3 Processing Requests

When a Servlet container receives a request, it shall use the algorithm
described in SRV.11.1 to select the constraints (if any) defined on the
url-pattern that is the best match to the request URI. If no constraints
are selected, the container shall accept the request. Otherwise the
container shall determine if the HTTP method of the request is
constrained at the selected pattern. If it is not, the request shall be
accepted. Otherwise, the request must satisfy the constraints that apply
to the http-method at the url-pattern. Both of the following rules must
be satisfied for the request to be accepted and dispatched to the
associated servlet.
"

I read this to mean "select the security constraint based solely upon
the best url-pattern match". After that, if none of the http-methods for
that web-resource-collection match, the request is accepted with no
further security constraints.

Honestly, that doesn't seem like a good idea, but it sounds like it
matches the specification.

In the current implementation, we match url-pattern and http-method at
the same time, so if they don't /both/ match, we continue looking for
another web-resource-collection that /does/ match.

Does anyone have any comments on this?

Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkgYgVMACgkQ9CaO5/Lv0PCZkQCfbCm1au9k2XjjvED71jLlgmAh
qSIAnRcrK34wWRXDX8nL+7hxzrIQrzdf
=mMyy
-----END PGP SIGNATURE-----