Hey all, Just noticed some odd behavior in tomcat today, one of our admins setup a new folder on a context as follows:
/seasonpass/index.jsf /seasonpass/index.jsp He did not touch the web.xml file and yet the /seasonpass/ folder works as expected!? Without altering the security-constraints in web.xml. The idea is that index.jsp is our welcome file and would forward the user automagically (a technical term) to the /index.jsf file in the seasonpass folder if the user simply went to www.myurl.com/seasonpass/. However, we have no mention of the /seasonpass/ directory in our "Not Secured Pages" security-constraint elements... so I think what's happening is the fact that our welcome-file is the index.jsp is automatically allowed wherever it appears... Is this a security hole or is this intended? Relevant Copy from web.xml <!-- Welcome files --> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> <security-constraint> <display-name>Not secured Pages</display-name> <web-resource-collection> <web-resource-name>Welcome pages</web-resource-name> <bunch of stuff not pertaining to the /seasonpass/ directory></blah> </web-resource-collection> </security-constraint> Rob Web Developer/Site Administrator