> -----Original Message----- > From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] > Sent: mercredi 29 août 2012 22:34 > To: Tomcat Users List > Subject: RE: Nondeterministic behaviour of security constraints in > Tomcat 7 > > > The problem occurs for HTTP requests matching to the most specific > URL > > pattern (in the above example, /a/b, /a/b/c, etc.), > > Please state where in the servlet spec that /a/b should be matched by > /a/b/*. (If the request for /a/b were to be redirected to /a/b/, that > would be matched.)
According to §13.8.3 of the spec [1]: "When a Servlet container receives a request, it shall use the algorithm described in "Use of URL Paths" on page 115 to select the constraints (if any) defined on the urlpattern that is the best match to the request URI" I agree that in the algorithm it is not explicitly stated that /a/b should match to /a/b/*, however §12.2.2 provides an example which, in my eyes, does so: TABLE 12-1 Example Set of Maps ------------------------------- Path Pattern Servlet /foo/bar/* servlet1 /baz/* servlet2 /catalog servlet3 *.bop servlet4 TABLE 12-2 Incoming Paths Applied to Example Maps -------------------------------------------------- Incoming Path Servlet Handling Request /foo/bar/index.html servlet1 /foo/bar/index.bop servlet1 /baz servlet2 /baz/index.html servlet2 > You might want to add /a/b as an explicit <url- > pattern> to avoid having requests to that target being handled by the > /a/* rule. > The same behaviour I described is verified as well for every other request that matches /a/b/*, such as /a/b/, /a/b/c, and so on. Best regards, Matteo --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
