tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject [BUG] TC3.3B1 ignores transport-guarantee in web.xml
Date Mon, 20 Aug 2001 23:21:57 GMT
    It seems that everybody is delegating the checking of
transport-guarantee to somebody else, and as a result it is never checked.
Fortunately, this is easy to reproduce:

1) add a
<user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee
></user-data-constraint> to the security-constraint

2) Access the page via http://myserver/myapp/path/to/page

The page will happily be displayed even though the use of the http protocol
was dis-allowed.


Mime
View raw message