tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jonathan Eric Miller" <jemil...@uchicago.edu>
Subject Re: Bug in basic HTTP authentication/resource protection in Tomcat 3.1?
Date Thu, 20 Jul 2000 20:00:05 GMT
I found that it also works if you put /class at the end. So, you need to
protect that as well.

Jon

----- Original Message -----
From: "Jonathan Eric Miller" <jemiller@uchicago.edu>
To: "Costin Manolache" <Costin.Manolache@eng.sun.com>;
<tomcat-dev@jakarta.apache.org>
Sent: Thursday, July 20, 2000 1:55 PM
Subject: Re: Bug in basic HTTP authentication/resource protection in Tomcat
3.1?


> Yeah, but it's running the same servlet. I didn't even know that
> SnoopServlet/ was a valid URL. IMHO, this should be changed. If it isn't I
> doubt that I will be the only one that makes this mistake.
>
> If it weren't for the fact that I accidentally typed the extra /, I would
> have a gaping whole in my application that I didn't even know about.
>
> It isn't really a problem with the resource protection, it's that
> SnoopServlet shouldn't get run if there is a trailing /.
>
> Jon
>
> ----- Original Message -----
> From: "Costin Manolache" <Costin.Manolache@eng.sun.com>
> To: <tomcat-dev@jakarta.apache.org>; <jemiller@uchicago.edu>
> Sent: Thursday, July 20, 2000 1:18 PM
> Subject: Re: Bug in basic HTTP authentication/resource protection in
Tomcat
> 3.1?
>
>
> > > Jon
> > >
> > > P.S. I'm not actually subscribed to this list, so, please CC
> > > jemiller@uchicago.edu with any responses. Thanks.
> > >
> > >       <web-resource-collection>
> > >          <web-resource-name>Protected Area</web-resource-name>
> > >   <!-- Define the context-relative URL(s) to be protected -->
> > >          <url-pattern>/servlet/SnoopServlet</url-pattern>
> >
> > That's exact map - it protects snoopServlet but doesn't protect
> > SnoopServlet/
> >
> > Costin
> >
>


Mime
View raw message