tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marius Scurtescu <mar...@sxip.com>
Subject security-constraint pattern: /* vs /
Date Wed, 15 Feb 2006 02:06:01 GMT
Hi all,

I am trying to secure the index page of a web application but
at the same time allow deeper path to be unprotected. For example:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Protected Area</web-resource-name>
      <url-pattern>/</url-pattern>
      <url-pattern>/other/protected/*</url-pattern>
  </web-resource-collection>
</security-constraint>

But Tomcat 5.0 and 5.5 behave as I have written:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Protected Area</web-resource-name>
      <url-pattern>/*</url-pattern>
      <url-pattern>/other/protected/*</url-pattern>
  </web-resource-collection>
</security-constraint>

...they basically secure everything.

I checked the source code, and indeed, the "/" pattern is treated as a
special one and it is called the "universal mapper".

I could not find anything in the spec about this "universal mapper" and
also I could not find anything that explains this behaviour for "/".

Any suggestions in this regard?

Thanks,
Marius



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message