Martin Grigorov <mgrigo...@apache.org> wrote: > Someone else had the same/similar problem and the conclusion was that > according to the Servlet specification this is the proper way to process > the request - the request url should be normalized. If you need to protect > some paths then you should do whatever is necessary in your application.
We have hundreds of applications running on Tomcat and path-based access control is currently handled outside Tomcat by Istio’s RBAC in the cloud. It appears that this is not a great match then. > Please use secur...@tomcat.apache.org for reporting (possible) security > problems in the future! Thanks! I’m sorry. I read https://tomcat.apache.org/security.html <https://tomcat.apache.org/security.html> and it explicitly mentions using that address only for undisclosed security vulnerabilities. Since this issue seems to have been mentioned on the web in various places before, I thought it was fine to discuss this in public. Nils.
