-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 André,
On 4/22/2009 12:37 PM, André Warnier wrote: > Caldarale, Charles R wrote: >>> From: Mikolaj Rydzewski [mailto:m...@ceti.pl] >>> Subject: Re: Tomcat Security and Struts >>> >>> Mark Thomas wrote: >>>> <url-pattern>/*</url-pattern> will protect everything. >>>> >>> If your login page uses any external assets (images, stylesheets, >>> etc), it will become corrupted (assets won't load). >> >> Care to explain that? The above construct seems to work fine for our >> static resources. >> > Maybe this : if the login page itself contains a link to a gif located > in the same area, trying to load that gif will also hit the > authentication bit, and trigger another login page, before the first > even finishes displaying ? Precisely. Unfortunately, this actually makes things worse than you might think, since (some versions of) Tomcat stores the most recent request as the one to re-play after successful authentication. I have seen Tomcat respond post-authentication by serving a CSS file or graphic rather than the "expected" original request (usually an HTML page). The solution, of course, is to leave your (appropriate) static content unprotected. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEUEARECAAYFAknvbEkACgkQ9CaO5/Lv0PAavQCYj4ULwKXkFPd5K1wu1nJXpz+C fQCgoRTZnjyJaoEFQE1pkMgJ+bb7MjQ= =ewii -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
