tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: An issue concerning authentication in Tomcat hosted web application
Date Tue, 04 Nov 2008 22:27:18 GMT
Hash: SHA1


Caldarale, Charles R wrote:
>> From: Nar Karapetyan [] Subject: An
>> issue concerning authentication in Tomcat hosted web application
>> This snippet says that any url ending with ".action" or ".jsp"
>> should be authenticated first, and works OK.
>> However, I need to exclude some specific urls which end with 
>> ".action". (e.g. RSS feed urls that contain the string "rss").
> There's no provision for using regular expressions in section 12 of
> the Servlet Spec.  I think you can add another <security-constraint>
> listing the specific RSS URLs you want to allow, but do not include a
> nested <auth-constraint> element.  This should allow unauthenticated
> access, if I'm interpreting the spec (and Tomcat's implementation
> thereof) properly.
> You might want to take a look at SecurityFilter, which is more
> flexible than strict declarative security: 

SecurityFilter's handling of URL mappings is spec-compliant. We haven't
added any bells or whistles in here. It's mostly things like drive-by
logins and such.

Your interpretation of the spec matches ours: if you create a
<web-resource-collection> that matches "*.action" and another one that
matches "/full/path/to/my/special.action", then the latter will match
/first/ because it is a "longer" match. Order in the web.xml file is
irrelevant. Basically, the more-specific mapping always wins, which is
typically exactly what you want.

For more information, the OP should read chapter 11 ("Mapping Requests
to Servlets") in the servlet spec. It clearly defines how URLs should be
mapped to servlets (and the security constraints follow the identical
URL mapping rules).

- -chris
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message