Hey all,
Just noticed some odd behavior in tomcat today, one of
our admins setup a new folder on a context as follows:
/seasonpass/index.jsf
/seasonpass/index.jsp
He did not touch the web.xml file and yet the /seasonpass/ folder works
as expected!? Without altering the security-constraints in web.xml.
The idea is that index.jsp is our welcome file and would forward the
user automagically (a technical term) to the /index.jsf file in the
seasonpass folder if the user simply went to www.myurl.com/seasonpass/.
However, we have no mention of the /seasonpass/ directory in our "Not
Secured Pages" security-constraint elements... so I think what's
happening is the fact that our welcome-file is the index.jsp is
automatically allowed wherever it appears... Is this a security hole or
is this intended?
Relevant Copy from web.xml
<!-- Welcome files -->
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>Not secured Pages</display-name>
<web-resource-collection>
<web-resource-name>Welcome pages</web-resource-name>
<bunch of stuff not pertaining to the /seasonpass/ directory></blah>
</web-resource-collection>
</security-constraint>
Rob
Web Developer/Site Administrator
