tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hans Bergsten <>
Subject Re: security-constraint
Date Sat, 02 Sep 2000 22:22:11 GMT
Jon Stevens wrote:
> on 9/2/2000 2:31 PM, "Hans Bergsten" <> wrote:
> > You don't specify who has access. Try adding an <auth-constraint>
> > element as well. Also, I'm not sure <transport-guarantee> is
> > implemented. What you specify here is that the resources must only
> > be made available if an HTTPS connection is used. Was that the
> > intention?
> Can I see a working example please? Reading and trying to figure out that
> DTD sucks. I can't tell what goes where or what does what and the
> documentation comments in it don't make much sense at all. :-(

This is an example that works in TC 3.2 Beta 3:


    <realm-name>ORA Examples</realm-name>


It used to be possible to use an empty <auth-constraint> element in TC 3.1
to make it impossible for anyone to access a resource (e.g. for resources
that should only be accessed through a servlet using RD.forward()). In 
TC 3.2, an empty element seems to make the resources accessible to anyone 
without authentication. That looks like a bug to me ;-)

Hans Bergsten
Gefion Software

View raw message