-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chuck,
On 12/2/2009 5:15 PM, Caldarale, Charles R wrote: >> From: Christopher Schultz [mailto:[email protected]] >> Subject: Re: Authentication without Authorization ( JNDI Realm ) >> >> Technically speaking, this will require authentication but then let >> anyone holding any role defined in web.xml to access any page on your >> site. > > But the valid roles still have to be listed in web.xml to be compliant with > the spec. Yes. That's why I said "technically" and "practically". >> Practically speaking, you don't even need to define the roles in >> web.xml because (last time I checked), Tomcat treats '*' as >> "authenticated, regardless of roles". > > That was a bug, now fixed: > http://marc.info/?l=tomcat-user&m=123568422715010&w=2 I'll have to look elsewhere in the code, then. What I saw in GenericPrincipal clearly takes, ahem, liberties with the spec. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksXG+IACgkQ9CaO5/Lv0PCCnQCgw/WeI9uAHgpzjtiyg48gJC2B TIgAn1mNkpYD8mkdc9YFEtrjZ8UcpKN3 =VQ5N -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
