Return-Path: <paul@oil-law.com>
Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Delivered-To: mailing list tomcat-dev@jakarta.apache.org
Received: (qmail 46066 invoked from network); 9 Oct 2000 21:40:30 -0000
Received: from unknown (HELO zephyr2.olrcorp.com) (208.45.158.61)
  by locus.apache.org with SMTP; 9 Oct 2000 21:40:30 -0000
Received: by oil-law61.oil-law.com with Internet Mail Service (5.5.2650.21)
	id <TYJM83TW>; Mon, 9 Oct 2000 16:43:03 -0500
Message-ID: <E171BBFA0ABED31184F90060B0571C4C194FB1@oil-law61.oil-law.com>
From: Paul Lamb <paul@oil-law.com>
To: "'tomcat-dev@jakarta.apache.org'" <tomcat-dev@jakarta.apache.org>
Subject: RE: Catalina & Welcome Files
Date: Mon, 9 Oct 2000 16:42:59 -0500 
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain;
	charset="iso-8859-1"
X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N

Craig,

I've been thinking about this some more today. And from looking at the 2.3
spec, pg 80,  sect 12.8 paragraph 2:

"All requests that contain a request path that matches the URL pattern
described in the web resource collection is subject to the constraint."

It's the "all requests..." that has caused me to think that the constraints
should be consulted after expansion. Then in the next paragraph is the
wording: "...must be part of to access...".

I'd rather claim that security constraints are 100% enforced; without
exception. In my mind (which is often wrong) this also covers includes,
forwards and welcome pages.


As a whole nother matter, for one of my apps I've updated the JDBCRealm to
use user defined sql to obtain the user info and the roles as opposed to
just plain table names. If you'd like to include it, I'll do the diff's and
e-mail them.

Whatever happened to the ldap realm? Was it a licensing problem with the
mozilla ldap module? I'm getting ready to do one and would be happy to
contribute it if it doesn't cause licensing problems.

Paul Lamb

> 
> Paul Lamb wrote:
> 
> > I noticed today that with the latest catalina that it 
> doesn't seem to check
> > security constraints on welcome files.
> >
> > If my welcome file is "app/default.htm", and I have a 
> security constraint on
> > /app/* and I request http://localhost, it will return 
> default.htm without
> > prompting to login. But if I request 
> http://localhost/app/default.htm then
> > it will send the login.
> >
> 
> I've asked the spec lead for the servlet spec (Danny Coward) for an
> interpretation on this.  Whether the login dialog should be 
> triggered depends on
> whether security constraints apply to the original request 
> URI (which is what
> Catalina does currently) or the expanded URI.  It's not clear 
> what the right
> answer is.
> 
> >
> > Paul Lamb
> >
> 
> Craig McClanahan
> 
> ====================
> See you at ApacheCon Europe <http://www.apachecon.com>!
> Session VS01 (23-Oct 13h00-17h00):  Sun Technical Briefing
> Session T06  (24-Oct 14h00-15h00):  Migrating Apache JServ
>                                     Applications to Tomcat
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>