tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Remy Maucherat <r...@apache.org>
Subject Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
Date Wed, 02 Mar 2005 19:56:23 GMT
luehe@apache.org wrote:
> luehe       2005/03/02 11:27:11
> 
>   Modified:    catalina/src/share/org/apache/catalina/realm RealmBase.java
>   Log:
>   Consider the case where original request was mapped to welcome page.
>   In this case, the mapped welcome page (and not the original request
>   URI!) needs to be the target of hasResourcePermission().
>   
>   This is consistent with the change that had been made in findSecurityConstraints().
>   
>   BTW, shouldn't request.getDecodedRequestURI() return the mapped
>   welcome page (instead of the original URI) in this case?
>   In other words, shouldn't the path passed to
>     mappingData.requestPath.setString(pathStr)
>   in Mapper.java be propagated to the request object associatd with the
>   mappingData?

I consider welcome files to be internal forwards (since it is allowed to 
handle them this way). As a result, they shouldn't be matched by 
secrurity constraints. Only the original request path should be the used 
(so here it's getDecodedRequestURI - as sent by the client).

Rémy

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message