You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Tim Colson <tc...@cisco.com> on 2002/09/10 23:46:15 UTC
Security match fails url-pattern /p/* on TC 3.2.1
Hey folks -
I searched the archives for help but didn't find what I needed.
I have a security constraint in my web.xml file like so:
<web-resource-collection>
<web-resource-name>Protected pages</web-resource-name>
<url-pattern>/p/*</url-pattern>
</web-resource-collection>
Problem arises when I want to get to UNauthenticated pages.
http://server/webapp/p/securelist.do -> authenticated
http://server/webapp/public/list.do -> authenticated!?!??
If I change the second URL to:
http://server/webapp/Public/list.do -> public access, no auth
http://server/webapp/ublic/list.do -> public access, no auth
If I change the url-pattern to /p/ -> none of the urls force AuthC.
I've read and re-read the servlet spec 2.2, and /p/* seems like it's
supposed to match the PATH... but TC doesn't appear to be working that
way. :-(
Am I daft? Is this a known issue? Is it resolved in TC 3.2.x?
Thanks,
Tim
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Security match fails url-pattern /p/* on TC 3.2.1
Posted by Tim Colson <tc...@cisco.com>.
Michael -
>Wouldn't '/p/*' imply a match for URLs that contain /p/
That is what it's supposed to match, from the servlet spec.
>(e.g. http://server/webapp/p/securelist.do).
This is authenticated, as expected.
The problem, as I stated, is that this url also forces authentication ->
but it should not... notice that there isn't a /p/ path present, but
there is a path that starts with a 'p'
http://server/webapp/public/list.do
> This would explain why all other URLs
> fail to get authentication... they are missing the /p/* pattern
The point I was making is that the /p/* pattern seems to [incorrectly]
match anything that starts with a lowercase p rather than
/p/anythinghere
http://server/webapp/Public/list.do -> public access, no auth
http://server/webapp/ublic/list.do -> public access, no auth
>Why not try /public/*
Because what I want is that for all requests under /p/ to be 'protected'
and anything else to be publicly available.
Tim
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Security match fails url-pattern /p/* on TC 3.2.1
Posted by Michael Petres <mp...@rogers.com>.
Wouldn't '/p/*' imply a match for URLs that contain /p/ (e.g.
http://server/webapp/p/securelist.do). This would explain why all other URLs
fail to get authentication... they are missing the /p/* pattern
Why not try /public/*
Michael Petres
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
InnovObjX Corp.
Web: www.innovobjx.com
Tel: 905-729-2235 x3
Fax: 905-729-2235
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----Original Message-----
From: Tim Colson [mailto:tcolson@cisco.com]
Sent: Tuesday, September 10, 2002 5:46 PM
To: tomcat-user@jakarta.apache.org
Subject: Security match fails url-pattern /p/* on TC 3.2.1
Hey folks -
I searched the archives for help but didn't find what I needed.
I have a security constraint in my web.xml file like so:
<web-resource-collection>
<web-resource-name>Protected pages</web-resource-name>
<url-pattern>/p/*</url-pattern>
</web-resource-collection>
Problem arises when I want to get to UNauthenticated pages.
http://server/webapp/p/securelist.do -> authenticated
http://server/webapp/public/list.do -> authenticated!?!??
If I change the second URL to:
http://server/webapp/Public/list.do -> public access, no auth
http://server/webapp/ublic/list.do -> public access, no auth
If I change the url-pattern to /p/ -> none of the urls force AuthC.
I've read and re-read the servlet spec 2.2, and /p/* seems like it's
supposed to match the PATH... but TC doesn't appear to be working that
way. :-(
Am I daft? Is this a known issue? Is it resolved in TC 3.2.x?
Thanks,
Tim
--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>