tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <billwbar...@verizon.net>
Subject Re: Security Constraint conflict
Date Sat, 19 Sep 2009 01:47:39 GMT

"Christopher Schultz" <chris@christopherschultz.net> wrote in message 
news:4AB3F5F1.5060008@christopherschultz.net...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Peter,
>
> On 9/18/2009 4:34 PM, Peter Holcomb wrote:
>> Thanks for your response.  I've read through the example in 13.7.2 of
>> the spec
>
> Which version of the spec? I don't see a section 13.8 at all in either
> 2.4 or 2.5 of the spec. I see the heading "Combining Constraints" listed
> under 12.7.1.
>
>> but I don't think I'm understanding how the union works.
>
> I think Tim is incorrect, here. Neither the url-pattern nor the
> http-methods overlap, therefore no combining should occur.
>

I haven't checked the Servlet 3 spec, but with earlier versions, the union 
process is to give you the *least* restrictive checking (i.e. you just have 
to pass one constraint to pass).  And, yes, the url-patterns in this case 
overlap since '/*' and '*.xhtml' both apply to /myapp/foobar.xhtml.  There 
is no provision for 'best match' on url-pattern like there is for 
servlet-mapping.  So Tim is right, and Tomcat is doing what the spec says it 
should do.

Complaints would have to be sent to the Servlet spec expert group ;).

>> According to my thought process, the url patterns are:
>>
>> *.xhtml - access precluded
>>
>> /* PUT,DELETE,TRACE,OPTIONS - access precluded
>
> The example I see in 12.7.2 seems to support your expectations.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkqz9fEACgkQ9CaO5/Lv0PCyhQCghhbzT4ruq1in03G4GTbsI2DD
> v7UAmgKCOefa4O0gcDBTsnDHHePDDSY9
> =UViR
> -----END PGP SIGNATURE----- 




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message