Angela Stempfel wrote:
Hello all
I have a problem concerning Tomcat 4.1.30. In web.xml i defined several
security constraint. First of all I protected the whole application and
then I excluded the directories with images and css files. Furthermore I
defined some roles.
<snip>
So my problem is that this works fine with Tomcat 5.0 but not with
Tomcat 4.1.30. If I go to the login page, the stylesheet and images are
not found when running the Application with version 4.1.30. Also the
Security Constraints are not working correctly, this means that a user
that hasn't the role "dslamConfig" is able to enter the following URL:
/DslamConfig/*
Has anyone some ideas?
You need to read section SRV.12.8 of both the servlet 2.3 spec and the
servlet 2.4 spec. The way constraints are handled has changed. For example,
<spec-quote version="2.3">
If the authorization constraint defines no roles, no user is allowed
access to the portion of the web application defined by the security
constraint.
</spec-quote>
compared to
<spec-quote version="2.4">
If no authorization constraint applies to a request, the container must
accept the request without requiring user authentication.
</spec-quote>
There is a fair amount of ambiguity in this area of the 2.3 spec, which
is why it changed so much in 2.4
You should also be aware of
http://issues.apache.org/bugzilla/show_bug.cgi?id=15570
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]