You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Bill Barker <wb...@wilshire.com> on 2001/08/21 01:21:57 UTC

[BUG] TC3.3B1 ignores transport-guarantee in web.xml

    It seems that everybody is delegating the checking of
transport-guarantee to somebody else, and as a result it is never checked.
Fortunately, this is easy to reproduce:

1) add a
<user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee
></user-data-constraint> to the security-constraint

2) Access the page via http://myserver/myapp/path/to/page

The page will happily be displayed even though the use of the http protocol
was dis-allowed.