tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nils O. Selåsdal" <nosel...@frisurf.no>
Subject Need workaround for Tomcat security.
Date Sun, 15 Jul 2001 22:11:59 GMT
Ok, i needed to put some security constraints to a dircetory, so I added this 
to my web.xml:
 <security-constraint>
      <display-name>UQoS Amin Area</display-name>
      <web-resource-collection>
         <web-resource-name>UQoS Amin Area</web-resource-name>
           <url-pattern>/admin/*</url-pattern>
      </web-resource-collection>
I use BASIC authentication using the memory realm.
Works like it supposed to when someone goes to my http://xxx/webapp/Admin/ or 
something below, HOWEVER, if they type http://xxx/webapp//Admin/ (or even 
more slashes), all security checkings are bypassed, anyone arr let right in !
(same things happens always, try it with the 'security' example shipped with 
Tomcat.
Sever bug!, I have posted it to BugZilla. This applies to atleast Tomcat 
3.2.1 and 3.2.2. 
And I need it fixedas soon as possible. Does anyone know a workaround to 
thisone.(I'd rather not upgrade to Tomcat 4 yet,seems like its fixed here.)
-- 
Nils O. Selåsdal

Mime
View raw message