There are no parameters to say what the request/resource caused the security check. So without extending the spec with custom (non-portable) functionality, the last request seems to be chosen.
The joys HTTP of statelessness.
-Tim
Mike Curwen wrote:
oh DUH. Sorry, I shoulda read that more closely.
So just make login.jsp and its image (or maybe even just the image) the
unprotected resource. Everything else can stay where it is.
But my original ?? about Tomcat using the 'last' rather than the
'causing' resource stands. Why would they implement it thusly ?
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
