Security match fails url-pattern /p/* on TC 3.2.1

[Tim Colson <tc...@cisco.com>]

Hey folks -
  I searched the archives for help but didn't find what I needed.

I have a security constraint in my web.xml file like so:

<web-resource-collection>
 <web-resource-name>Protected pages</web-resource-name>
 <url-pattern>/p/*</url-pattern>
</web-resource-collection>

Problem arises when I want to get to UNauthenticated pages.

http://server/webapp/p/securelist.do -> authenticated
http://server/webapp/public/list.do  -> authenticated!?!??

If I change the second URL to:
http://server/webapp/Public/list.do  -> public access, no auth
http://server/webapp/ublic/list.do  -> public access, no auth

If I change the url-pattern to /p/ -> none of the urls force AuthC.

I've read and re-read the servlet spec 2.2, and /p/* seems like it's
supposed to match the PATH... but TC doesn't appear to be working that
way. :-(

Am I daft? Is this a known issue? Is it resolved in TC 3.2.x?

Thanks,
Tim


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: Security match fails url-pattern /p/* on TC 3.2.1

[Tim Colson <tc...@cisco.com>]

Michael -

>Wouldn't '/p/*' imply a match for URLs that contain /p/ 
That is what it's supposed to match, from the servlet spec. 

>(e.g.  http://server/webapp/p/securelist.do). 
This is authenticated, as expected.

The problem, as I stated, is that this url also forces authentication ->
but it should not... notice that there isn't a /p/ path present, but
there is a path that starts with a 'p'

http://server/webapp/public/list.do 

> This would explain why all other URLs
> fail to get authentication... they are missing the /p/* pattern
The point I was making is that the /p/* pattern seems to [incorrectly]
match anything that starts with a lowercase p rather than
/p/anythinghere

http://server/webapp/Public/list.do  -> public access, no auth 
http://server/webapp/ublic/list.do  -> public access, no auth


>Why not try /public/*
Because what I want is that for all requests under /p/ to be 'protected'
and anything else to be publicly available.


Tim


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: Security match fails url-pattern /p/* on TC 3.2.1

[Michael Petres <mp...@rogers.com>]

Wouldn't '/p/*' imply a match for URLs that contain /p/ (e.g.
http://server/webapp/p/securelist.do). This would explain why all other URLs
fail to get authentication... they are missing the /p/* pattern

Why not try /public/*

Michael Petres
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
InnovObjX Corp.
Web: www.innovobjx.com
Tel: 905-729-2235 x3
Fax: 905-729-2235
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----Original Message-----
From: Tim Colson [mailto:tcolson@cisco.com]
Sent: Tuesday, September 10, 2002 5:46 PM
To: tomcat-user@jakarta.apache.org
Subject: Security match fails url-pattern /p/* on TC 3.2.1

Hey folks -
  I searched the archives for help but didn't find what I needed.

I have a security constraint in my web.xml file like so:

<web-resource-collection>
 <web-resource-name>Protected pages</web-resource-name>
 <url-pattern>/p/*</url-pattern>
</web-resource-collection>

Problem arises when I want to get to UNauthenticated pages.

http://server/webapp/p/securelist.do -> authenticated
http://server/webapp/public/list.do  -> authenticated!?!??

If I change the second URL to:
http://server/webapp/Public/list.do  -> public access, no auth
http://server/webapp/ublic/list.do  -> public access, no auth

If I change the url-pattern to /p/ -> none of the urls force AuthC.

I've read and re-read the servlet spec 2.2, and /p/* seems like it's
supposed to match the PATH... but TC doesn't appear to be working that
way. :-(

Am I daft? Is this a known issue? Is it resolved in TC 3.2.x?

Thanks,
Tim


--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>