DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11603>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11603 security fails for http-method != GET when user is forced to login [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- URL|http://www.secuityfilter.org|http://securityfilter.org/to |/tomcat/http-method-bug.war |mcat/http-method-bug.war ------- Additional Comments From [EMAIL PROTECTED] 2002-08-10 10:59 ------- The demonstration app is posted and available now. It turns out this isn't as much of a problem as I originally thought. It seems the request parameters are not available once you get to the destination page. That makes this much less of a problem, but I would still expect to get a 403 error than to see the page with my POSTed parameters missing. Also, I did not include an <auth-constriant> in the web.xml that I posted in the original report. There is no cause for the container to block access without this. The behavior is the same whether the auth-contraint tag is empty (i.e. no access is allowed) or there is a role that the user does not have. This behavior seems correct. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>