Weblogic Security Constraints Not Working Properly
Last updated on DECEMBER 11, 2017
Applies to:
Oracle Weblogic Server - Version: 10.3Information in this document applies to any platform.
Symptoms
Problem with the security-constraint implementation on Weblogic server 10.3. Attached a sample application to illustrate the problem. Essentially the problem is -
Assume the following in the web.xml:
<security-constraint>
<display-name>Administrator User Only
Resources</display-name>
<web-resource-collection>
<web-resource-name>AdministratorUsersOnly</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Administrators</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>Inaccessible Resources</display-name>
<web-resource-collection>
<web-resource-name>NoAccess</web-resource-name>
<url-pattern>/doc2/*</url-pattern>
<url-pattern>*.pdf</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
In section "SRV.12.8.1 Combining Constraints" of the Servlet 2.4 spec it say:
Following this, the resource "NoAccess" above should take precedence and preclude access even though the previous constraint grants access. Unfortunately it does not for the *.pdf pattern, but does for the /doc2/* pattern.
When you access the application you will be offered the
following files to access:
readme.pdf
doc1/readme.pdf
doc2/readme.pdf
Reference:
http://download.oracle.com/otndocs/jcp/servlet-2.4-fr-spec-oth-JSpec/
Cause
Sign In with your My Oracle Support account |
|
Don't have a My Oracle Support account? Click to get started |
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms