Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java

Wed, 02 Mar 2005 13:52:43 -0800 

Remy,

Remy Maucherat wrote:
> Jan Luehe wrote:
> 
>>Bill/Remy,
>>
>>But SRV.9.10 ("Welcome Files") already has this:
>>
>>  The container may send the request to the welcome resource with
>>  a forward, a redirect, or a container specific mechanism
>>  **that is indistinguishable from a direct request**.
>>
>>The latter to me implies that any sec constraints must be applied
>>to the mapped welcome page (if any).
> 
> 
> The plot thickens.


What do you mean by that? ;-)
Do you agree the spec is pretty clear about the fact that
any sec constraints must be applied to welcome page?


>>Also, see the attached diffs, in particular:
>>
>>-        String uri = request.getDecodedRequestURI();
>>-        String contextPath = hreq.getContextPath();
>>-        if (contextPath.length() > 0)
>>-            uri = uri.substring(contextPath.length());
>>+        String uri = request.getRequestPathMB().toString();
>>
>>in findSecurityConstraints().
>>
>>When accessing <host>:<port>:/somecontext/,
>>which has welcome page /somecontext/index.jsp,
>>
>>request.getDecodedRequestURI() returns "/somecontext/",
>>whereas request.getRequestPathMB().toString() returns
>>"/index.jsp" (as set by the mapper), so there already is a precedent
>>in findSecurityConstraints() to match sec constraints against
>>welcome page, which I think makes sense.
> 
> 
> Right. However, when I made that commit, the current mapper behavior may 
> not have been in place already, or maybe it's simply that I thought the 
> two would be equivalent (I was busy optimizing at the time). I don't 
> quite remember ;)


I think you did the right thing without realizing it. :)
The change I committed earlier today is just consistent with
what you had done.

I'm still nervous about request.getDecodedRequestURI() returning
the original URI even after the request has been mapped to a welcome
page. This violates spec requirement that any container specific
mechanism for mapping request to welcome page must be
"indistinguishable from a direct request".


Jan



> Rémy
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to