----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, April 19, 2004 1:42 PM Subject: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
> luehe 2004/04/19 13:42:01 > > Modified: catalina/src/share/org/apache/catalina/realm RealmBase.java > Log: > Exempt welcome pages from any security-constraint checks. > > The Servlet 2.4 spec does not require this (and there are no CTS tests > for this), but it seems like a reasonable enhancement. I was told that > the upcoming maintenance release of the Servlet spec is going to > clarify this. > > If this change is controversial, I'll back it out for the time being, > until it is backed by the Servlet spec. Please let me know. > I second Remy's -1. The patch only exempts only the top level welcome file (e.g. /myapp/index.jsp), and so is meaningful mostly in the case where you have a security constraint mapped to '/*'. In this case, you can easily add a security-constraint with an exact pattern '/index.jsp' if you need the functionality. Also, if the welcome file includes links to images or stylesheets, then it is likely that you will have to setup even more complex security-constraints to allow it to display. If the spec eventually mandates it, then we'll have to do it. Until then it breaks more things than it fixes, IMHO.
This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
