This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new e60d366124 Add note on pathInfo, constraints and default servlet like
servlets
e60d366124 is described below
commit e60d36612417f726f0d407c718a9c3990c43ed19
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Apr 28 20:44:15 2025 +0100
Add note on pathInfo, constraints and default servlet like servlets
---
webapps/docs/security-howto.xml | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index e19f9ab9dd..ec338c3e58 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -573,6 +573,14 @@
<p>The WebDAV servlet enables edit functionality for web application
content. If the WebDAV servlet is enabled, the WebDAV functionality should
be appropriately secured.</p>
+
+ <p>When configuring security constraints, care should be taken if the URL
+ pattern for one or more constraints covers any segment of the URL that
+ becomes part of the pathInfo for a servlet and the servlet uses the
pathInfo
+ to identify some other resource (like the default servlet does). In those
+ circumstances, correct application of the security constraint depends on
the
+ implementation of the Servlet. All servlets included with Tomcat will
behave
+ correctly in this scenario.</p>
</section>
<section name="Embedded Tomcat">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
