-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chuck,
Caldarale, Charles R wrote: >> From: Nar Karapetyan [mailto:[EMAIL PROTECTED] Subject: An >> issue concerning authentication in Tomcat hosted web application >> >> This snippet says that any url ending with ".action" or ".jsp" >> should be authenticated first, and works OK. >> >> However, I need to exclude some specific urls which end with >> ".action". (e.g. RSS feed urls that contain the string "rss"). > > There's no provision for using regular expressions in section 12 of > the Servlet Spec. I think you can add another <security-constraint> > listing the specific RSS URLs you want to allow, but do not include a > nested <auth-constraint> element. This should allow unauthenticated > access, if I'm interpreting the spec (and Tomcat's implementation > thereof) properly. > > You might want to take a look at SecurityFilter, which is more > flexible than strict declarative security: > http://securityfilter.sourceforge.net/ SecurityFilter's handling of URL mappings is spec-compliant. We haven't added any bells or whistles in here. It's mostly things like drive-by logins and such. Your interpretation of the spec matches ours: if you create a <web-resource-collection> that matches "*.action" and another one that matches "/full/path/to/my/special.action", then the latter will match /first/ because it is a "longer" match. Order in the web.xml file is irrelevant. Basically, the more-specific mapping always wins, which is typically exactly what you want. For more information, the OP should read chapter 11 ("Mapping Requests to Servlets") in the servlet spec. It clearly defines how URLs should be mapped to servlets (and the security constraints follow the identical URL mapping rules). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkkQzEYACgkQ9CaO5/Lv0PCV+gCeIHNZjI2eeiAjMSMeC46l7OGO l80An2y6D9ZiSG9Tgj+KWGyfmyAVfupb =6NUf -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]