tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Caldarale, Charles R" <Chuck.Caldar...@unisys.com>
Subject RE: Request not forwarded to login page with security-constraintafter session time-out
Date Thu, 26 Feb 2009 23:12:46 GMT
> From: Mark Thomas [mailto:markt@apache.org]
> Subject: Re: Request not forwarded to login page with
> security-constraintafter session time-out
>
> If "*" is all roles defined and you have no roles
> defined then you are basically preventing anyone
> from accessing that resource

That's not quite what it says.  The actual wording:

"The special role name "*" is a shorthand for all role names defined in the deployment descriptor.
 An authorization constraint that names no roles indicates that access to the constrained
requests must not be permitted under any circumstances."

In the OP's case, the authorization constraint does name roles, albeit just the shorthand
version.  What the spec is not explicit about is the combination of "*" with an empty or non-existant
<security-role> list.  The OP (and others) have interpreted the "*" and no <security-role>
list to indicate no roles are needed for authorization.  For all we know, the intent of the
spec writers may have been to allow that.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus
for use only by the intended recipient. If you received this in error, please contact the
sender and delete the e-mail and its attachments from all computers.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message