tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nam T. Nguyen" <>
Subject RE: Bug in Combining Authorization Constraints
Date Mon, 21 Nov 2005 09:27:03 GMT
Replying to my own post.

Sorry, the attachment mysteriously disappeared. Anyway, the important
part is here

		<web-resource-name>Index 1</web-resource-name>
		<web-resource-name>Index 2</web-resource-name>


Random humorous quote: The only problem with mornings is that they
happen too early in the day.

Subject: Bug in Combining Authorization Constraints


I have two <security-constraint> elements in my deployment descriptor.

One has auth-constraint <role-name>*</role-name>, and the other does not
have any <auth-constraint>. They both have a same <url-pattern>.

By SRV.12.8.1 Combining Constraints:

A security constraints that does not contain an authorization constraint
shall combine with authorization constraints that name or imply roles to
allow unauthenticated access.

Applying to the attached .war file, my interpretation of this is access
to /index.jsp is accepted. However, Tomcat 5.5.12 returns status code
401 (Authorization Required).


Random humorous quote: Work is the greatest thing in the world, so save
some for tomorrow.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message