DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10595>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10595 Security Constraints not processed according to spec. [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From [EMAIL PROTECTED] 2002-12-06 17:59 ------- There has been substantial discussion in the servlet spec expert group, and in the JACC expert group (JSR-115) about the precise semantics of security constraint matching. The current interpretation is that the container should pick the first constraint that has a matching URL pattern and apply it -- therefore, the order of your security constraints *is* significant. Tomcat implements this interpretation; therefore I'm going to mark this bug as INVALID (we can't change the implementation unless the specified behavior is changed). However, there are others that feel as you do about what the matching policy should be. I suggest you download the latest draft of the Servlet 2.4 Specification (it's in Proposed Final Draft state now, but that doesn't mean it is cast in concrete necessarily) and review the spec language that is planned for the next servlet version, which will be supported by Tomcat 5. You can find a link to this at: http://java.sun.com/products/servlet/ Feedback should be directed to the JSR-154 Expert Group, by mailing comments to: [EMAIL PROTECTED] -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
