As Björn Ingimundarson recently noticed, we somehow lost the resource
refs portion of the web.xml.
It's because they happened to have been hiding in the web-security.xml
fragment in metadata/xdoclet, and that was removed with the recent Acegi
changes. I believe we need the resource refs in general, even though
things might work for Tomcat. There's an odd comment that was there
calling it a "Tomcat resource ref", but there's nothing specific about
it; it's part of the Servlet 2.3 and 2.4 specs, and I think Tomcat may
be one of the more lenient containers with respect to missing these.
Not sure about that, but I'd like to put them back. Objections?
On a related but different note, I'm a bit concerned that the
security-constraint clauses that were there might also be required for
some containers to know to setup for HttpServletRequest.isUserInRole()
properly (which appears to still be used in the codebase). Does the
way Acegi is injected entirely obviate the need for them for all
containers? Matt maybe you can comment on this question.
--a.
- regarding the removal of web-security.xml from metadata/xdoc... Anil Gangolli
-
