Kevin Jones wrote: > > No I don't want a workaround - I've already got it working. I was pointing > this out because > > a) it is conflicting behaviour in the two current versions of Tomcat (3.2.1 > and TC 4) and > b) the spec is silent on the behaviour and I was wondering if Craig or any > of the other Tomcat authors would comment > It is a bug in 3.2.1. There is a bunch of special case logic in Tomcat 4.0 to let you see the form login (and error) page, even if it is within the set of URLs protected by a security constraint. This is likely to get clarified in the next round of the 2.3 specification. One note on your original example, however -- if "/foo" is the context path to your application, and you wish to protect the entire webapp, you would use "/*" as the URL pattern inside your security constraint. Craig --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
