Details
Description
If you have the following in your web.xml:
<servlet-mapping> <servlet-name>SecureServlet</servlet-name> <url-pattern>/secure/*</url-pattern> </servlet-mapping> <login-config> ... </login-config> <security-constraint> <web-resource-collection> <web-resource-name>Security Test</web-resource-name> <url-pattern>/secure/adminonly</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <role-name>administrator</role-name> </auth-constraint> </security-constraint>
Then the page /secure/adminonly is in fact completely unprotected – a user who's not logged in can see it!