tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Security Constraint conflict
Date Sun, 20 Sep 2009 22:42:34 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bill,

On 9/18/2009 9:47 PM, Bill Barker wrote:
> I haven't checked the Servlet 3 spec, but with earlier versions, the union 
> process is to give you the *least* restrictive checking (i.e. you just have 
> to pass one constraint to pass).  And, yes, the url-patterns in this case 
> overlap since '/*' and '*.xhtml' both apply to /myapp/foobar.xhtml.  There 
> is no provision for 'best match' on url-pattern like there is for 
> servlet-mapping.  So Tim is right, and Tomcat is doing what the spec says it 
> should do.

Peter's original constraints never mentioned anything about the GET
method on /*.  Is silence consent in this scenario? I would imagine that
explicitly prohibiting PUT, DELETE, TRACE, and OPTIONS does not tacitly
allow GET. :(

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkq2r9oACgkQ9CaO5/Lv0PAkMQCfTd+Gfl7lf+GEprVxkQsmsUUN
Ct4An3PMBvBYBMjFFyZNVsohQX9TLQ7D
=YGlu
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message