You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Marius Scurtescu <ma...@sxip.com> on 2006/02/15 03:06:01 UTC

security-constraint pattern: /* vs /

Hi all,

I am trying to secure the index page of a web application but
at the same time allow deeper path to be unprotected. For example:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Protected Area</web-resource-name>
      <url-pattern>/</url-pattern>
      <url-pattern>/other/protected/*</url-pattern>
  </web-resource-collection>
</security-constraint>

But Tomcat 5.0 and 5.5 behave as I have written:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Protected Area</web-resource-name>
      <url-pattern>/*</url-pattern>
      <url-pattern>/other/protected/*</url-pattern>
  </web-resource-collection>
</security-constraint>

...they basically secure everything.

I checked the source code, and indeed, the "/" pattern is treated as a
special one and it is called the "universal mapper".

I could not find anything in the spec about this "universal mapper" and
also I could not find anything that explains this behaviour for "/".

Any suggestions in this regard?

Thanks,
Marius



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org