"Madere, Colin" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > That is a concrete path and you must be joking if you are suggesting to > explicitly define each and every URL as a "web-resource". The idea of > hierarchical authorization of resources is a very sound idea and other auth > schemes follow this "trickle-down" idea that you secure the whole tree with > a general user auth (everyone can see it) and then directories beneath that > have content specific to groups and are secured as needed. Any new > directory added that does not need special treatment is automatically > secured under the general rule. Otherwise you'll likely have a heavy > management burden of your deployment descriptor with 100s of "web-resource" > tags. The spec is shallow here, I hope it will improve in the next version.
The Servlet 2.4 spec is *very* specific here. Basically, the Servlet-Container (aka Tomcat) is required to merge security-constraints. I've heard rumors on other lists that what exactly the specifics are may change before the spec goes final, so it may not be what is currently available as pfd3. I'm not (personally) on the JCP, so you should treat this as "rumor and innuendo" ;-). > > From another angle, I don't want the root to be insecure and only subdirs be > secured. No other option there that I know of... > > And yet another angle, if you use explicit url-patterns and a content > developer drops in something that happens not to match it, it is not a > secure item. Unless you are in complete control and have script parameters > of content, it's not an option. > > -----Original Message----- > From: Alexander Vavilin [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 14, 2003 11:08 PM > To: Tomcat Users List > Subject: Re[2]: url-pattern and realms security > > > Hello Colin, > > Of course, your /* directive will overwrite all. You should use more > concrete names and paths. > > -- > Best regards, > Alexander > mailto:[EMAIL PROTECTED] > > Friday, August 15, 2003, 4:53:36 AM, you wrote: > > MC> Sorry sorry, <web-resource-name> elements are unique, just a copying > MC> error. > > MC> -----Original Message----- > MC> From: Alexander Vavilin [mailto:[EMAIL PROTECTED] > MC> Sent: Thursday, August 14, 2003 10:33 PM > MC> To: Tomcat Users List > MC> Subject: Re: url-pattern and realms security > > > MC> Hello Colin, > > MC> I am not sure, but I think you cannot do this, first an > <web-resource-name> > MC> element means an UNIQUE name. Can you understand ? You must give it > MC> different names. Second thing, I never heard about <http-method> > element. > > MC> Hope it will help. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
