tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Request not forwarded to login page with security-constraint after session time-out
Date Thu, 26 Feb 2009 21:36:18 GMT
Caldarale, Charles R wrote:
>> From: Marcel Stör [mailto:marcel@frightanic.com]
>> Subject: Re: Request not forwarded to login page with
>> security-constraint after session time-out
>>
>> No, I only mentioned this because Tomcat throws an SQL exception
>> because it tries to query a table called "" if I don't specify a role
>> table in the realm config in context.xml
> 
> That's because of the strong implication in the servlet spec that roles are required;
any behavior you observe in a particular Tomcat level when no roles exist is very likely an
accident and not guaranteed from one version to the next.

The spec is clearer than that. The "*" role == all roles defined in web.xml.

Unfortunately, Tomcat used to treat "*" as any authenticated user - not
quite what the spec requires. That was fixed - check the change log for
the version.

The undocumented realm attribute allRolesMode (see RealmBase) can be
used to control this behaviour.

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message