I sent this a couple of days ago in the blizzard of listserv messages and never got a response so I'm sending it again in the hope someone can help me.
Background: I had a blojsom blog server set up on tomcat 4.1 that used a jdbc realm to control access. I customized the login.jsp to include some local .gifs and such that aren't part of the blojsom.war file (I don't want to modify the 3rd party .war file unless I absolutely have to) and originally had problems getting the images to appear. I found that the reason the images wouldn't appear is that because they were under the webapps/blojsom directory, they were also restricted by the realm access. So that attempting to access them invoked the realm security control. So I had a chicken and egg problem with allowing access to the images. I finally solved that by modifying the webapp's web.xml file and changing the <url-pattern> within the <security-contraint> to be "/blog/*", instead of just "*" so that only attempts to access the individual's blogs would be controlled. That worked fine for 4.1. But, now I've upgraded to 5.0.30 and it no longer works, I'm back to having no images, external to the war file, being displayed by my login.jsp. Everything has been copied from the 4.1 config to the 5.0 config. Is there something I forgot to do? The log file shows that when it is attempting to access one of the image files, which should be /blojsom/images/logo.gif, the actual filename it's requesting in the GET is /blojsom/blog/images/logo.gif, which is wrong. For example, this is taken from the 4.1 log: 2005-05-10 18:25:12 Authenticator[/blojsom]: Security checking request GET /blojsom/images/logo.gif and this is taken from the 5.0 log: Security checking request GET /blojsom/blog/images/logo.gif The relevant parts of my web.xml are: <security-constraint> <web-resource-collection> <web-resource-name>Entire Application</web-resource-name> <url-pattern>/blog/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>users</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>Users</realm-name> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/error.jsp</form-error-page> </form-login-config> </login-config> <security-role> <description> Some Stuff </description> <role-name>users</role-name> </security-role>