DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10595>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10595 Security Constraints not processed according to spec. Summary: Security Constraints not processed according to spec. Product: Tomcat 4 Version: 4.1.7 Platform: All OS/Version: All Status: NEW Severity: Normal Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] According to section 12.8 of the Servlet 2.3 spec "The container matches URL patterns defined in security constraints using the same algorithm described in this specification for matching client requests to servlets and static resources as described in SRV.11.1." This does not appear to be the case for Tomcat. Using the following two constraints in the order given produces correct behavour for MyPage.jsp (correct behavour is to match the first constraint which applies no security): <security-constraint> <web-resource-collection> <web-resource-name>Unsecured Stuff</web-resource-name> <url-pattern>/MyPage.jsp</url-pattern> </web-resource-collection> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Entire Application</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> Reversing the order shouldn't change the behavour because the MyPage.jsp pattern is an extact match (see rule 1 section 11.1). It should be matched first regardless of the order of the constraints. However if you reverse the two constraints and request MyPage.jsp the /* pattern is matched and the security is applied. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
