tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Security Constraint conflict
Date Mon, 21 Sep 2009 12:40:48 GMT
Caldarale, Charles R wrote:
>> From: Pid []
>> Subject: Re: Security Constraint conflict
>> The logical union of 'no methods' and 'some methods' is 'some methods',
>> isn't it?  But...
> Yes, except the spec says the operation is *not* a union when a constraint has no roles.
 Rather than an "or" effect, a no-roles constraint does an "and".  My interpretation for this
instance is that the result should be that operations other than PUT, DELETE, TRACE, and OPTIONS
are allowed for all requests other than those ending in *.xhtml.
I suggest that the Servlet Spec be revised by a German engineer, to the 
effect that everything not specifically allowed is forbidden.
That would make this all a lot less ambiguous.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message