> From: Rob Mercer [mailto:[EMAIL PROTECTED] > Subject: RE: Welcome file bypasses security-constraint checking? > > Tomcat 6.0.14
Thanks. > <security-constraint> > <display-name>Not secured Pages</display-name> [various unsecured declarations snipped] > </security-constraint> > <security-constraint> > <display-name>Restrict Secured JSF Pages</display-name> > <web-resource-collection> > <web-resource-name>JSF</web-resource-name> > <url-pattern>*.jsf</url-pattern> The above should protect /seasonpass/index.jsf; does it? > <url-pattern>/index.jsp</url-pattern> The above *does not* protect /seasonpass/index.jsp? Did you expect it to? > <url-pattern>/servlet/*</url-pattern> OT: you're not using the InvokerServlet, are you? That would be abhorrent. [protected methods snipped] > </web-resource-collection> [other constraints snipped] > </security-constraint> > <security-constraint> > <display-name>Restrict Secured Servlets Pages</display-name> [declarations snipped] > </security-constraint> More OT: the "Restrict Secured Servlets Pages" section is just a subset of "Restrict Secured JSF Pages", so you might as well just take it out. I don't see anything in any of your constraints that would lead me to believe /seasonpass/index.jsp should be restricted. Looks like Tomcat is behaving properly. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
