On Tue, 16 Apr 2002, Dan K. wrote:
> Date: Tue, 16 Apr 2002 17:11:04 -0400 (EDT)
> From: Dan K. <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: <web-resource-collection> in web.xml
>
>
> Hi,
>
> Does anyone on the list know where the <url-pattern> element is verified
> in the tomcat 4.0.x source? For example I have the following web.xml
> snippet:
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Protected Web Application</web-resource-name>
> <url-pattern>/servlet/*</url-pattern>
> </web-resource-collection>
>
> <auth-constraint>
> <role-name>user_role</role-name>
> </auth-constraint>
> </security-constraint>
>
> The above protects the url <app_context>/servlet/* works but but I would
> like to change it so that it will also work for
> <app_context>/servlet/protected* which doesn't seem to work. Anyone got
> ideas? Is there anything security problem in allowing this?
>
The valid URL patterns for security constraints are the same as those for
servlet mappings, and are defined in the Servlet Specification
<http://java.sun.com/products/servlet/download.html>. You could certainly
change this in your own copy of Tomcat, but your applications would not be
portable to any other container (and possibly not even to a future
version of Tomcat if the mechanism happened to change). You'd be far
better off architecting the URLs of your application so that they fit the
standards.
> Thanks in advance.
>
> Regards,
> Dan
>
Craig
--
To unsubscribe: <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>
