You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Marius Scurtescu <ma...@sxip.com> on 2006/02/15 03:06:01 UTC
security-constraint pattern: /* vs /
Hi all,
I am trying to secure the index page of a web application but
at the same time allow deeper path to be unprotected. For example:
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/</url-pattern>
<url-pattern>/other/protected/*</url-pattern>
</web-resource-collection>
</security-constraint>
But Tomcat 5.0 and 5.5 behave as I have written:
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
<url-pattern>/other/protected/*</url-pattern>
</web-resource-collection>
</security-constraint>
...they basically secure everything.
I checked the source code, and indeed, the "/" pattern is treated as a
special one and it is called the "universal mapper".
I could not find anything in the spec about this "universal mapper" and
also I could not find anything that explains this behaviour for "/".
Any suggestions in this regard?
Thanks,
Marius
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org