This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new dfc3278334 Add note on pathInfo, constraints and default servlet like
servlets
dfc3278334 is described below
commit dfc32783343e0a2bc8b93fd4cd5e5f2bcf152695
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Apr 28 20:44:15 2025 +0100
Add note on pathInfo, constraints and default servlet like servlets
---
webapps/docs/security-howto.xml | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index f5f890b1d2..a3b8e4119e 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -583,6 +583,14 @@
<p>The WebDAV servlet enables edit functionality for web application
content. If the WebDAV servlet is enabled, the WebDAV functionality should
be appropriately secured.</p>
+
+ <p>When configuring security constraints, care should be taken if the URL
+ pattern for one or more constraints covers any segment of the URL that
+ becomes part of the pathInfo for a servlet and the servlet uses the
pathInfo
+ to identify some other resource (like the default servlet does). In those
+ circumstances, correct application of the security constraint depends on
the
+ implementation of the Servlet. All servlets included with Tomcat will
behave
+ correctly in this scenario.</p>
</section>
<section name="Embedded Tomcat">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
