On Mon, 17 Sep 2001, Craig R. McClanahan wrote:
> If you go this way, you would definitely want to make a note someplace
> that apps cannot use a security constraint with a "/*" pattern, because
> there is no "other" directory in which the login and error pages can be
> put.
>
> Because "/*" is a legal URL pattern, IMHO that means there *is* an
> implicit spec requirement to support this. However, it's not a regession,
> because 3.2 is broken here as well, so it can't really be called a
> showstopper. (This feature is supported in 4.0, which took some pretty
> interesting code gymnastics.)
I'm not sure this is an implicit requirement - /* works fine with basic
authentication, and the rules for mapping URI constraints are _very_
explicit ( well, too explicit I would say ). There is no exception
mentioned in the prefix mapping ( /* mapps everything but the uri's used
for form-auth and maybe some error pages - since implicitely they are
supposed to work ). IMHO explicit text takes precedence over implicit.
But this could also be resolved by adding ALLOWs for the login page.
( == more specific uri constraints that would match it )
Costin
