This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 9f858d3e0b Add note on pathInfo, constraints and default servlet like
servlets
9f858d3e0b is described below
commit 9f858d3e0bad65d702cd81b6cbfff69d65479372
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Apr 28 20:44:15 2025 +0100
Add note on pathInfo, constraints and default servlet like servlets
---
webapps/docs/security-howto.xml | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index 5600ecbfb8..c167f00fce 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -547,6 +547,14 @@
<p>The WebDAV servlet enables edit functionality for web application
content. If the WebDAV servlet is enabled, the WebDAV functionality should
be appropriately secured.</p>
+
+ <p>When configuring security constraints, care should be taken if the URL
+ pattern for one or more constraints covers any segment of the URL that
+ becomes part of the pathInfo for a servlet and the servlet uses the
pathInfo
+ to identify some other resource (like the default servlet does). In those
+ circumstances, correct application of the security constraint depends on
the
+ implementation of the Servlet. All servlets included with Tomcat will
behave
+ correctly in this scenario.</p>
</section>
<section name="Embedded Tomcat">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
