Aaron Mulder wrote: > Well it appears that Tomcat and Jetty handle this situation > differently (Tomcat: all secure pages locked down, Jetty: all secure > pages accessible to anybody), which is *definitely* a bug...
If Jetty is not given a realm, but is given security constraints for a resources, it returns a "500 configuration error". So the Jetty plugin must either be giving Jetty a realm or not giving it the security constraints. >From a quick look at JettyModuleBuilder, I think the security constraints are not being built if there is no security realm name. > But really, if the user put security settings in their web.xml, then > clearly they're expecting security to be applied. If we disable all > security because they missed a deployment plan or a deployment plan > setting, then I think that's a huge security problem. Gnerally > speaking, I think it's always best to fail to a more secure state, not > to fail to an "anybody authorized for anything" state. That's > certainly the behavior you'd expect from your bank. I agree - but then 1.0 is not going to be a real production release. I really think it should be called a 1.0RC. But anyway... I'm out for a few hours and if David has not fixed this by then, I'll work on a fix for trunk and we can then decide if that makes it for 1.0 cheers
