tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marcel Stör <mar...@frightanic.com>
Subject Re: Request not forwarded to login page with security-constraint after session time-out
Date Fri, 27 Feb 2009 22:17:38 GMT

On 27.02.2009, at 17:38, Christopher Schultz wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Chuck,
>
> On 2/26/2009 5:39 PM, Caldarale, Charles R wrote:
>>> From: Mark Thomas [mailto:markt@apache.org] Subject: Re: Request
>>> not forwarded to login page with security-constraint after session
>>> time-out
>>>
>>> The spec is clearer than that. The "*" role == all roles defined in
>>> web.xml.
>>
>> Yes, but what it's not clear about is what happens when there are
>> *no* roles defined in web.xml, which is the situation the OP has.
>
> It's worse than that: he has no roles table defined, so he gets
> SQLExceptions during authorization.


[OT]
Yes, indeed.
I had expected that Tomcat would handle this more gracefully. I find  
it odd that JDBCRealm does try to run a query against the role table  
without checking first if one has even been defined. This is  
particularly annoying because the <Realm> tag in context.xml cannot be  
validated against a DTD or schema -> from a configuration point of  
view I'm not required to define it.

Regards,
Marcel

-- 
Marcel Stör, http://www.frightanic.com
Blog: http://frightanic.wordpress.com
Couchsurfing: http://www.couchsurfing.com/people/marcelstoer
Skype: marcelstoer


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message