This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new b7ec790248 Add note on pathInfo, constraints and default servlet like
servlets
b7ec790248 is described below
commit b7ec790248951c1780b62508d6298cec540806d8
Author: Mark Thomas <[email protected]>
AuthorDate: Mon Apr 28 20:44:15 2025 +0100
Add note on pathInfo, constraints and default servlet like servlets
---
webapps/docs/security-howto.xml | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index 5600ecbfb8..c167f00fce 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -547,6 +547,14 @@
<p>The WebDAV servlet enables edit functionality for web application
content. If the WebDAV servlet is enabled, the WebDAV functionality should
be appropriately secured.</p>
+
+ <p>When configuring security constraints, care should be taken if the URL
+ pattern for one or more constraints covers any segment of the URL that
+ becomes part of the pathInfo for a servlet and the servlet uses the
pathInfo
+ to identify some other resource (like the default servlet does). In those
+ circumstances, correct application of the security constraint depends on
the
+ implementation of the Servlet. All servlets included with Tomcat will
behave
+ correctly in this scenario.</p>
</section>
<section name="Embedded Tomcat">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
