On Thu, 14 Jun 2001, Gogineni, Pratima wrote:
> I have a general question regarding security constraints - if you are using
> the form based authentication - is the login page allowed to match one of
> the url-patterns in the security constraints.
>
Yes it's allowed. Otherwise, you could not use a URL pattern like "/*" to
protect the entire web application.
> I found that this kind of set up goes into an infinite loop -
> understandably.
> The question is - it should be possible to detect this & not go into an
> infinite loop?
> I couldnt find anything in the servlet spec 2.2 regarding this...
>
Tomcat 3.2, if I remember correctly, has problems with this. Tomcat 4.0
(and I'm sure other servers do to) handles it correctly.
> thanks
> pratima
Craig
