tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <>
Subject Re: Security Constraint conflict
Date Sat, 19 Sep 2009 00:18:38 GMT
My bad - I was quoting the servlet 3.0 spec (usually the headings align)

I need to reread but it might be a bug. (I dont have the spec in front 
of me) but IIRC it said something to the effect of using the url + the 
HTTP method to get all applicable constraints. And then unioning them 
together. Since the /* doesn't apply to GET - it shouldn't count as part 
of the UNION (but I'd have to create a test case and trace it to see 
whats happening in reality in the code)

It sounds like the case described just takes into account URL for the 
unioning of contraints.


Christopher Schultz wrote:
> Hash: SHA1
> Peter,
> On 9/18/2009 4:34 PM, Peter Holcomb wrote:
>> Thanks for your response.  I've read through the example in 13.7.2 of
>> the spec
> Which version of the spec? I don't see a section 13.8 at all in either
> 2.4 or 2.5 of the spec. I see the heading "Combining Constraints" listed
> under 12.7.1.
>> but I don't think I'm understanding how the union works.
> I think Tim is incorrect, here. Neither the url-pattern nor the
> http-methods overlap, therefore no combining should occur.
>> According to my thought process, the url patterns are:
>> *.xhtml - access precluded
>> /* PUT,DELETE,TRACE,OPTIONS - access precluded
> The example I see in 12.7.2 seems to support your expectations.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message