tags:

views:

228

answers:

0
+1  Q: 

Multiple <security-constraint> not working

I have the following in a GlassFish deployed EAR, which works fine:

<security-constraint>
<web-resource-collection>
        <web-resource-name>Secure Pages</web-resource-name>
        <url-pattern>/restricted/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>

    <web-resource-collection>
        <web-resource-name>Secure Pages</web-resource-name>
        <url-pattern>/admin/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>

    <auth-constraint>
        <role-name>admin</role-name>
    </auth-constraint>
</security-constraint>

But when I add another stanza, like so, the original still works, but not the new security-constraint, the new security-constraint:

    <security-constraint>       
    <web-resource-collection>
        <web-resource-name>Secure Pages</web-resource-name>
        <url-pattern>/su/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>

    <auth-constraint>
        <role-name>su</role-name>
    </auth-constraint>
</security-constraint>

Does anyone see an issues?

related questions

How to prevent Iframe hack
Integrating authentication between a web app and desktop app
ASP.NET Authenticaion and Security with Session
Is this acceptable for passing a password?
Why can't an iframe set its parent's location.hash?
Anyone know of a free XSS penetration testing tool?
AntiSpam measures on websites
Implementing secure, unique "single-use" activation URLs in ASP.NET (C#)
Confusion with services and certificates with an anonymous client
Help me understand rails authentication w/r/t assets, like swfs.
Is EnableHeaderChecking=true enough to prevent Http Header Injection attacks?
Examples of SQL Injections through addslashes()?
How can I prevent bulk vulnerability scanning without using a CAPTCHA component?
What security issues appear when users can upload their own files?
Do Perl CGI programs have a buffer overflow or script vulnerability for HTML contact forms?
How to Start/Stop a Windows Service from an ASP.NET app - Security issues
How can I ensure that my web pages are not modified by end customer?
What is the best and safest way to store user email addresses in the database?
Main security concerns in allowing users embed video
Returning a password to the web user
Best practices for URL retrieval service? How to avoid being attack vector?
What conferences/training should an employer provide for a java/web team?
ASP.Net: Authentication via Browser's Login Window
Do you require deep packet inspection on a server-only firewall?
Storing parts of user data in files for preventing SQL injection