"Jonathan Eric Miller" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > I am trying to configure my application so that everything has to be > encrypted. I was able to do that by using the security constraint at the > bottom of this message. I've had this working for awhile without a problem. > However, now, I want to add an additional restriction. I want to make it so > that users can't access .jsp files directly. So, I added an additional > security-constraint. However, it doesn't work. The only way I can get the > .jsp constraint to work is if I comment out the other one. I've tried > changing the order of the constraints and that doesn't make a difference. >
Since changing the order doesn't do anything, I'm assuming that you are using Tomcat 5. > What am I doing wrong? Why doesn't it merge the two constraints together? It > appears to just pick the most general case and go with that one. > It actually will just pick the most specific case: However, in the Servlet-Spec, '/*' is more specific than '*.jsp'. There really isn't much that Tomcat can do about it, since the 2.4 Servlet-Spec is very specific about how security-constraints are evaluated. My advice is to try and understand the security model in the Servlet-Spec, and then try and work out how to apply it to your specific case. It's likely going to be ugly :(. > <security-constraint> > <web-resource-collection> > <web-resource-name>x</web-resource-name> > <url-pattern>*.jsp</url-pattern> > </web-resource-collection> > <auth-constraint/> > </security-constraint> > > <security-constraint> > <web-resource-collection> > <web-resource-name>y</web-resource-name> > <url-pattern>/*</url-pattern> > </web-resource-collection> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > > Jon --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]