Problem with security constraints on /

[Johannes Lehtinen <jl...@cc.hut.fi>]

Hello, Tomcat users!

Earlier this week I stumbled on the following problem. I already found a
solution to it but I am still not sure whether I had misconfigured things
or whether this is a Tomcat bug that should be filed (didn't find an
existing record). Could someone with more expertise confirm if the
following is correct behaviour according to servlet standard (short
explanation would be nice in that case). I am using Tomcat 3.2.3.

I have a servlet mapped to / (within its application context) and I have
restricted the access to / using the following webapp definition.


- clip -
  <servlet>
    <servlet-name>sms-dispatcher</servlet-name>
    <servlet-class>fi.rossum.bg.sms.SMSDispatcher</servlet-class>
  </servlet>

  <servlet-mapping>
    <servlet-name>sms-dispatcher</servlet-name>
    <url-pattern>/</url-pattern>
  </servlet-mapping>

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>sms-dispatcher</web-resource-name>
      <url-pattern>/</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>smscore</role-name>
    </auth-constraint>
  </security-constraint>

  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>smscore</realm-name>
  </login-config>
- clip -


However, when I point my browser at http://127.0.0.1:8080/smsdispatcher/
Tomcat lets me in without basic authentication! Now, when I do the
following modification...


- clip -
   <security-constraint>
     <web-resource-collection>
       <web-resource-name>sms-dispatcher</web-resource-name>
-      <url-pattern>/</url-pattern>
+      <url-pattern>/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
       <role-name>smscore</role-name>
- clip -


...everything starts working as expected and I have to provide a user name
and password. Is this really how it is supposed to work?

Thanks for clarifications!

--
Johannes Lehtinen <jo...@iki.fi>, http://www.iki.fi/jle/