Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 53649 invoked from network); 26 Feb 2009 23:30:30 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 26 Feb 2009 23:30:30 -0000 Received: (qmail 60047 invoked by uid 500); 26 Feb 2009 23:30:17 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 60023 invoked by uid 500); 26 Feb 2009 23:30:17 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 60012 invoked by uid 99); 26 Feb 2009 23:30:17 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 26 Feb 2009 15:30:17 -0800 X-ASF-Spam-Status: No, hits=4.3 required=10.0 tests=FRT_ROLEX,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [193.252.22.191] (HELO smtp6.freeserve.com) (193.252.22.191) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 26 Feb 2009 23:30:08 +0000 Received: from me-wanadoo.net (localhost [127.0.0.1]) by mwinf3606.me.freeserve.com (SMTP Server) with ESMTP id 497887000084 for ; Fri, 27 Feb 2009 00:29:46 +0100 (CET) Received: from smtp.homeinbox.net (unknown [91.109.158.165]) by mwinf3606.me.freeserve.com (SMTP Server) with ESMTP id 192A87000083 for ; Fri, 27 Feb 2009 00:29:46 +0100 (CET) X-ME-UUID: 20090226232946103.192A87000083@mwinf3606.me.freeserve.com Received: from localhost (localhost [127.0.0.1]) by smtp.homeinbox.net (Postfix) with ESMTP id B29AA1A4952 for ; Thu, 26 Feb 2009 23:29:47 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at homeinbox.net Received: from smtp.homeinbox.net ([127.0.0.1]) by localhost (server01.dev.local [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1oi2caJ1Jtm8 for ; Thu, 26 Feb 2009 23:29:45 +0000 (GMT) Received: from [192.168.0.9] (study03.dev.local [192.168.0.9]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.homeinbox.net (Postfix) with ESMTPSA id 262EA1A40B7 for ; Thu, 26 Feb 2009 23:29:45 +0000 (GMT) Message-ID: <49A725DE.1040801@apache.org> Date: Thu, 26 Feb 2009 23:29:34 +0000 From: Mark Thomas User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Request not forwarded to login page with security-constraintafter session time-out References: <49A6B367.6020006@frightanic.com> <49A6E9DD.8020809@christopherschultz.net> <28C96583-A5CA-4101-BFFC-6F38101F50FA@frightanic.com> <0AAE5AB84B013E45A7B61CB66943C17215B85F79D0@USEA-EXCH7.na.uis.unisys.com> <49A70B52.6030706@apache.org> <0AAE5AB84B013E45A7B61CB66943C17215B85F7DF4@USEA-EXCH7.na.uis.unisys.com> <49A71B3B.5080505@apache.org> <0AAE5AB84B013E45A7B61CB66943C17215B85F7E7E@USEA-EXCH7.na.uis.unisys.com> In-Reply-To: <0AAE5AB84B013E45A7B61CB66943C17215B85F7E7E@USEA-EXCH7.na.uis.unisys.com> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Caldarale, Charles R wrote: >> From: Mark Thomas [mailto:markt@apache.org] >> Subject: Re: Request not forwarded to login page with >> security-constraintafter session time-out >> >> If "*" is all roles defined and you have no roles >> defined then you are basically preventing anyone >> from accessing that resource > > That's not quite what it says. The actual wording: > > "The special role name "*" is a shorthand for all role names defined in the deployment descriptor. An authorization constraint that names no roles indicates that access to the constrained requests must not be permitted under any circumstances." I think the current implementation follows from that. "*" is all roles defined. If there no roles defined then the auth constraint names no roles and all users are blocked. > In the OP's case, the authorization constraint does name roles, albeit just the shorthand version. "*" makes no sense in * I suspect what Tomcat is doing is creating a role named "*". Since no user has been assigned to that role, no user is permitted access. What the spec is not explicit about is the combination of "*" with an empty or non-existant list. I think it is quite clear. It means no-one gets access. The OP (and others) have interpreted the "*" and no list to indicate no roles are needed for authorization. Indeed. So did Tomcat for many versions. For all we know, the intent of the spec writers may have been to allow that. I know that that was not the intent. The current behaviour was the intent. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org