Hi,
No workaround I'm afraid. I can confirm that the problem
affects form - based JDBCRealm as well. Tried putting
*/admin/* into url pattern and broke security completely.
I wonder whether a JkMount directive with approriately
placed wildcards might work but haven't had time to try.
I'd be very interested if you find a solution.
Presumably no-one on the list has one?
andrew
On Sun, 15 Jul 2001, you wrote:
> Ok, i needed to put some security constraints to a dircetory, so I added this
> to my web.xml:
> <security-constraint>
> <display-name>UQoS Amin Area</display-name>
> <web-resource-collection>
> <web-resource-name>UQoS Amin Area</web-resource-name>
> <url-pattern>/admin/*</url-pattern>
> </web-resource-collection>
> I use BASIC authentication using the memory realm.
> Works like it supposed to when someone goes to my http://xxx/webapp/Admin/ or
> something below, HOWEVER, if they type http://xxx/webapp//Admin/ (or even
> more slashes), all security checkings are bypassed, anyone arr let right in !
> (same things happens always, try it with the 'security' example shipped with
> Tomcat.
> Sever bug!, I have posted it to BugZilla. This applies to atleast Tomcat
> 3.2.1 and 3.2.2.
> And I need it fixedas soon as possible. Does anyone know a workaround to
> thisone.(I'd rather not upgrade to Tomcat 4 yet,seems like its fixed here.)
> --
> Nils O. Sel�sdal
--
Andrew Robson
