That is a concrete path and you must be joking if you are suggesting to explicitly define each and every URL as a "web-resource". The idea of hierarchical authorization of resources is a very sound idea and other auth schemes follow this "trickle-down" idea that you secure the whole tree with a general user auth (everyone can see it) and then directories beneath that have content specific to groups and are secured as needed. Any new directory added that does not need special treatment is automatically secured under the general rule. Otherwise you'll likely have a heavy management burden of your deployment descriptor with 100s of "web-resource" tags. The spec is shallow here, I hope it will improve in the next version.
>From another angle, I don't want the root to be insecure and only subdirs be secured. No other option there that I know of... And yet another angle, if you use explicit url-patterns and a content developer drops in something that happens not to match it, it is not a secure item. Unless you are in complete control and have script parameters of content, it's not an option. -----Original Message----- From: Alexander Vavilin [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2003 11:08 PM To: Tomcat Users List Subject: Re[2]: url-pattern and realms security Hello Colin, Of course, your /* directive will overwrite all. You should use more concrete names and paths. -- Best regards, Alexander mailto:[EMAIL PROTECTED] Friday, August 15, 2003, 4:53:36 AM, you wrote: MC> Sorry sorry, <web-resource-name> elements are unique, just a copying MC> error. MC> -----Original Message----- MC> From: Alexander Vavilin [mailto:[EMAIL PROTECTED] MC> Sent: Thursday, August 14, 2003 10:33 PM MC> To: Tomcat Users List MC> Subject: Re: url-pattern and realms security MC> Hello Colin, MC> I am not sure, but I think you cannot do this, first an <web-resource-name> MC> element means an UNIQUE name. Can you understand ? You must give it MC> different names. Second thing, I never heard about <http-method> element. MC> Hope it will help. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]