You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by To...@putnam.com on 2002/08/02 00:15:17 UTC

web.xml security-constraint bug?

i noticed that if you add the url-pattern /* as a web-resource-collection
in a security constraint
and you use FORM auth-method for login-config

if form-login-page is included in the same webapp, there seems to be an
endless loop.

is there anyway to specify an url-pattern that includes all except
login.jsp?

thanks

-Tony



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: web.xml security-constraint bug?

Posted by "Craig R. McClanahan" <cr...@apache.org>.


On Thu, 1 Aug 2002 Tony_Chao@putnam.com wrote:

> Date: Thu, 1 Aug 2002 18:15:17 -0400
> From: Tony_Chao@putnam.com
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: tomcat-user@jakarta.apache.org
> Subject: web.xml security-constraint bug?
>
> i noticed that if you add the url-pattern /* as a web-resource-collection
> in a security constraint
> and you use FORM auth-method for login-config
>
> if form-login-page is included in the same webapp, there seems to be an
> endless loop.
>

Not if the container is designed correctly.  Tomcat 4, at least, deals
with this situation just fine, because it doesn't try to apply the
constraint against the form login page or form error page.

> is there anyway to specify an url-pattern that includes all except
> login.jsp?
>
> thanks
>
> -Tony

Craig


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>