tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: container managed authentication - how?
Date Thu, 07 Dec 2000 19:37:23 GMT
Christian Sell wrote:

> hello,
> I just installed Tomcat 3.2 and deployed my web application, which is
> running sucessfully nuder Orion and JRun, using form-based authentication.
> However, Tomcat completely ignores the security-constraint settings. How can
> I get Tomcat to enforce this? Does Tomcat support container-managed
> security?
> thanks in advance..
> Christian
> BTW, Heres my web.xml, in case somebody wants to take a look:

Thanks for including this -- it is the key to understanding your problem.

In your <security-constraint>, you are specifying <url-pattern> entries that are
not legal according to the servlet specification (such as "*/WCFAdmin.jsp" and
"*/wcfsystem").  The legal syntax only allows "*" wildcards at the *end* of the
URL, not the beginning.  If JRun supports these values, it is doing so outside
of the servlet spec, and is therefore not portable.

For more information on the legal syntax for URL patterns, and pretty much
everything else that is mandated about servlets, see the Servlet API
Specification, version 2.2, which you can download from

Craig McClanahan

View raw message