tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm
Date Mon, 19 Apr 2004 23:14:08 GMT

----- Original Message -----
From: <>
To: <>
Sent: Monday, April 19, 2004 1:42 PM
Subject: cvs commit:

> luehe       2004/04/19 13:42:01
>   Modified:    catalina/src/share/org/apache/catalina/realm
>   Log:
>   Exempt welcome pages from any security-constraint checks.
>   The Servlet 2.4 spec does not require this (and there are no CTS tests
>   for this), but it seems like a reasonable enhancement. I was told that
>   the upcoming maintenance release of the Servlet spec is going to
>   clarify this.
>   If this change is controversial, I'll back it out for the time being,
>   until it is backed by the Servlet spec. Please let me know.

I second Remy's -1.  The patch only exempts only the top level welcome file
(e.g. /myapp/index.jsp), and so is meaningful mostly in the case where you
have a security constraint mapped to '/*'.  In this case, you can easily add
a security-constraint with an exact pattern '/index.jsp' if you need the

Also, if the welcome file includes links to images or stylesheets, then it
is likely that you will have to setup even more complex security-constraints
to allow it to display.  If the spec eventually mandates it, then we'll have
to do it.  Until then it breaks more things than it fixes, IMHO.

View raw message