On Mon, 17 Sep 2001, Larry Isaacs wrote:
>
> >
> >
> > > 3. The spec doesn't address whether a the form-login-page
> > and form-error-page
> > > should be excluded from the security-constraint, but it
> > makes sense that
> > > it should. It might be best to postpone this.
> >
> > +1 to postpone, there is a workaround ( to put them in a
> > different dir ).
>
> I'll mark this as something to save for a maintenance release
> of 3.3.
>
If you go this way, you would definitely want to make a note someplace
that apps cannot use a security constraint with a "/*" pattern, because
there is no "other" directory in which the login and error pages can be
put.
Because "/*" is a legal URL pattern, IMHO that means there *is* an
implicit spec requirement to support this. However, it's not a regession,
because 3.2 is broken here as well, so it can't really be called a
showstopper. (This feature is supported in 4.0, which took some pretty
interesting code gymnastics.)
Craig
