tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <funk...@apache.org>
Subject Re: Security Constraint conflict
Date Sat, 19 Sep 2009 00:18:38 GMT
My bad - I was quoting the servlet 3.0 spec (usually the headings align)

I need to reread but it might be a bug. (I dont have the spec in front 
of me) but IIRC it said something to the effect of using the url + the 
HTTP method to get all applicable constraints. And then unioning them 
together. Since the /* doesn't apply to GET - it shouldn't count as part 
of the UNION (but I'd have to create a test case and trace it to see 
whats happening in reality in the code)

It sounds like the case described just takes into account URL for the 
unioning of contraints.


-Tim

Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Peter,
> 
> On 9/18/2009 4:34 PM, Peter Holcomb wrote:
>> Thanks for your response.  I've read through the example in 13.7.2 of
>> the spec
> 
> Which version of the spec? I don't see a section 13.8 at all in either
> 2.4 or 2.5 of the spec. I see the heading "Combining Constraints" listed
> under 12.7.1.
> 
>> but I don't think I'm understanding how the union works.
> 
> I think Tim is incorrect, here. Neither the url-pattern nor the
> http-methods overlap, therefore no combining should occur.
> 
>> According to my thought process, the url patterns are:
>>
>> *.xhtml - access precluded
>>
>> /* PUT,DELETE,TRACE,OPTIONS - access precluded
> 
> The example I see in 12.7.2 seems to support your expectations.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message