Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 76978 invoked from network); 19 Sep 2009 00:19:12 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 19 Sep 2009 00:19:12 -0000 Received: (qmail 42150 invoked by uid 500); 19 Sep 2009 00:19:08 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 42077 invoked by uid 500); 19 Sep 2009 00:19:08 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 42066 invoked by uid 99); 19 Sep 2009 00:19:08 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 19 Sep 2009 00:19:08 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.9] (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with SMTP; Sat, 19 Sep 2009 00:19:05 +0000 Received: (qmail 76890 invoked from network); 19 Sep 2009 00:18:43 -0000 Received: from localhost (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; 19 Sep 2009 00:18:43 -0000 Message-ID: <4AB4235E.8010601@apache.org> Date: Fri, 18 Sep 2009 20:18:38 -0400 From: Tim Funk User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Security Constraint conflict References: <4AB3BDB1.3090909@apache.org> <4AB3F5F1.5060008@christopherschultz.net> In-Reply-To: <4AB3F5F1.5060008@christopherschultz.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org My bad - I was quoting the servlet 3.0 spec (usually the headings align) I need to reread but it might be a bug. (I dont have the spec in front of me) but IIRC it said something to the effect of using the url + the HTTP method to get all applicable constraints. And then unioning them together. Since the /* doesn't apply to GET - it shouldn't count as part of the UNION (but I'd have to create a test case and trace it to see whats happening in reality in the code) It sounds like the case described just takes into account URL for the unioning of contraints. -Tim Christopher Schultz wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Peter, > > On 9/18/2009 4:34 PM, Peter Holcomb wrote: >> Thanks for your response. I've read through the example in 13.7.2 of >> the spec > > Which version of the spec? I don't see a section 13.8 at all in either > 2.4 or 2.5 of the spec. I see the heading "Combining Constraints" listed > under 12.7.1. > >> but I don't think I'm understanding how the union works. > > I think Tim is incorrect, here. Neither the url-pattern nor the > http-methods overlap, therefore no combining should occur. > >> According to my thought process, the url patterns are: >> >> *.xhtml - access precluded >> >> /* PUT,DELETE,TRACE,OPTIONS - access precluded > > The example I see in 12.7.2 seems to support your expectations. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org