Bill Barker wrote:
Ok, this isn't right. Tomcat defaults to NonLoginAuthenticator if there
is
no login-config. This one just approves everybody for everything.
Ok. This isn't absolutely critical, but needs to be fixed.
I just tested this with a fresh build of everything, and it seems that Tomcat is working fine. I set allowTrace="true" on the connector, and put in a security-constraint to forbid TRACE in ROOT/WEB-INF/web.xml but no login-config. The result is a perfectly good 403 response to 'TRACE / HTTP/1.0', and a perfectly good TRACE response to 'TRACE /jsp-examples/ HTTP/1.0'.
I'm afraid that you will have to provide a test case if you want to re-open this issue ;-). I'm resolving it as WORKSFORME.
Cool. That's the impression I had, but it wasn't a proper test, so I'm not too sure.
I was surprised to notice it wasn't possible to add the constraint to the default web.xml and be done.
Rémy
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
