You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by "Craig R. McClanahan" <Cr...@eng.sun.com> on 2000/10/01 02:34:25 UTC

Re: Catalina & Welcome Files

Paul Lamb wrote:

> I noticed today that with the latest catalina that it doesn't seem to check
> security constraints on welcome files.
>
> If my welcome file is "app/default.htm", and I have a security constraint on
> /app/* and I request http://localhost, it will return default.htm without
> prompting to login. But if I request http://localhost/app/default.htm then
> it will send the login.
>

I've asked the spec lead for the servlet spec (Danny Coward) for an
interpretation on this.  Whether the login dialog should be triggered depends on
whether security constraints apply to the original request URI (which is what
Catalina does currently) or the expanded URI.  It's not clear what the right
answer is.

>
> Paul Lamb
>

Craig McClanahan

====================
See you at ApacheCon Europe <http://www.apachecon.com>!
Session VS01 (23-Oct 13h00-17h00):  Sun Technical Briefing
Session T06  (24-Oct 14h00-15h00):  Migrating Apache JServ
                                    Applications to Tomcat