Bill/Remy,
But SRV.9.10 ("Welcome Files") already has this:
The container may send the request to the welcome resource with a forward, a redirect, or a container specific mechanism **that is indistinguishable from a direct request**.
The latter to me implies that any sec constraints must be applied to the mapped welcome page (if any).
The plot thickens.
Also, see the attached diffs, in particular:
- String uri = request.getDecodedRequestURI(); - String contextPath = hreq.getContextPath(); - if (contextPath.length() > 0) - uri = uri.substring(contextPath.length()); + String uri = request.getRequestPathMB().toString();
in findSecurityConstraints().
When accessing <host>:<port>:/somecontext/, which has welcome page /somecontext/index.jsp,
request.getDecodedRequestURI() returns "/somecontext/", whereas request.getRequestPathMB().toString() returns "/index.jsp" (as set by the mapper), so there already is a precedent in findSecurityConstraints() to match sec constraints against welcome page, which I think makes sense.
Right. However, when I made that commit, the current mapper behavior may not have been in place already, or maybe it's simply that I thought the two would be equivalent (I was busy optimizing at the time). I don't quite remember ;)
Rémy
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
