Tomcat doesn't adhere to the (new) requirements in the 2.4 Servlet-Spec for handling the case of Overlapping Constraints: <spec-quote version="2.4 pfd3" section="12.8.1"> When a url-pattern and http-method pair occurs in multiple security constraints, the applicable constraints (on the pattern and method) are defined by combining the individual constraints. </spec-quote>
I see two ways to address this, but can't pick a clear favorite (hence asking for comments :).
1) Add a method 'List getSecurityConstraints(HttpRequest req, Context ctx)' to Realm, and have AuthenticatorBase loop through them. 2) Have RealmBase create it's own special SecurityConstraint that is the intersection of all of the overlapping constraints, and leave AuthenticatorBase alone.
Case 1 has the advantage of being relatively clean from a coding standpoint. Case 2 would probably require adding a 'void intersect(SecurityContraint sc)' method to the SecurityConstraint class to enable it to construct the correct permissions (and this looks like it would be a non-trivial method to implement).
Comments/Opinions/Flames?
1) seems better from your description. It could be a good idea to confirm that the spec change will still be in the final version.
I'd like to add that a lot of this code is unoptimized (it abuses substring, whereas it could likely use region matching), so maybe it could be a good opportunity to improve it (along with BASIC auth handling).
Remy
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
