Replying to my own post.
Sorry, the attachment mysteriously disappeared. Anyway, the important
part is here
<security-constraint>
<web-resource-collection>
<web-resource-name>Index 1</web-resource-name>
<url-pattern>/index.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Index 2</web-resource-name>
<url-pattern>/index.jsp</url-pattern>
</web-resource-collection>
</security-constraint>
Cheers
Nam
--
Random humorous quote: The only problem with mornings is that they
happen too early in the day.
Subject: Bug in Combining Authorization Constraints
Hi
I have two <security-constraint> elements in my deployment descriptor.
One has auth-constraint <role-name>*</role-name>, and the other does not
have any <auth-constraint>. They both have a same <url-pattern>.
By SRV.12.8.1 Combining Constraints:
<quote>
A security constraints that does not contain an authorization constraint
shall combine with authorization constraints that name or imply roles to
allow unauthenticated access.
</quote>
Applying to the attached .war file, my interpretation of this is access
to /index.jsp is accepted. However, Tomcat 5.5.12 returns status code
401 (Authorization Required).
Cheers
Nam
--
Random humorous quote: Work is the greatest thing in the world, so save
some for tomorrow.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
