tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Caldarale, Charles R" <Chuck.Caldar...@unisys.com>
Subject RE: Request not forwarded to login page with security-constraint after session time-out
Date Fri, 27 Feb 2009 00:22:27 GMT
> From: Mark Thomas [mailto:markt@apache.org]
> Subject: Re: Request not forwarded to login page with
> security-constraint after session time-out

> > What the spec is not explicit about is the combination
> > of "*" with an empty or non-existant <security-role> list.

> I think it is quite clear. It means no-one gets access.

We'll have to agree to disagree; I find it ambiguous, and obviously others have different
interpretations, so it definitely isn't clear.  I'd like to see the spec document how authentication
can be configured when no authorization (and therefore no roles) is necessary.

> Chuck and I are off on our own little tangent.

Not sure that's entirely true, since the OP's situation (authentication without need for authorization)
doesn't seem to be covered by the spec, and behavior of other containers (and even different
versions of Tomcat) may well differ from what he's getting today.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus
for use only by the intended recipient. If you received this in error, please contact the
sender and delete the e-mail and its attachments from all computers.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message