The bugfix turned out to be a one-liner: Index: SecurityConstraint.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/de ploy/SecurityConstraint.java,v retrieving revision 1.5 diff -u -r1.5 SecurityConstraint.java --- SecurityConstraint.java 22 Jul 2001 20:25:10 -0000 1.5 +++ SecurityConstraint.java 4 Jul 2002 02:50:10 -0000 @@ -455,7 +455,7 @@
// Normalize the argument strings if ((path == null) || (path.length() == 0)) - path = "/"; + return(false); if ((pattern == null) || (pattern.length() == 0)) pattern = "/"; I'll apply this fix if someone more versed in 4.x approves it. Keith | -----Original Message----- | From: Keith Wannamaker [mailto:[EMAIL PROTECTED]] | Sent: Wednesday, July 03, 2002 7:34 PM | To: [EMAIL PROTECTED] | Subject: Tomcat 4.x auth issue | | | Tomcat 4.x has a problem -- it challenges for auth | prior to any redirects. This is wrong because it causes | most browsers to cache auth info for the entire domain | when hitting top-level directories. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>