This was discussed earlier. Here is a snippet from the post by Craig
McClanahan :
In your <security-constraint>, you are specifying <url-pattern> entries that
are
not legal according to the servlet specification (such as "*/WCFAdmin.jsp"
and
"*/wcfsystem"). The legal syntax only allows "*" wildcards at the *end* of
the
URL, not the beginning. If JRun supports these values, it is doing so
outside
of the servlet spec, and is therefore not portable.
For more information on the legal syntax for URL patterns, and pretty much
everything else that is mandated about servlets, see the Servlet API
Specification, version 2.2, which you can download from
<http://java.sun.com/products/servlet/download.html>.
Regards,
Paul
-----Original Message-----
From: Christian Sell [mailto:[EMAIL PROTECTED]]
Sent: Sunday, December 10, 2000 04:07 PM
To: [EMAIL PROTECTED]
Subject: security-constraint url-pattern not working
Hello,
The following url-pattern in a security-constraint in my WEB.XML causes the
page WCPAdmin.jsp (which resides in a subdirectory below the context root)
to be protceted under Orion and JRun, whereas Tomcat lets me access it
without any constraints:
<url-pattern>*/WCFAdmin.jsp</url-pattern>
If I change the pattern to:
<url-pattern>/jsp/admin/*</url-pattern>
all servers behave equal, protecting all pages in the given subdirectory.
Now, I wonder why Tomcat ignored the first specification. I suppose this is
a bug, but on whose side (JRun & Orion, Tomcat or mine)
regards,
Christian
