Ok, i needed to put some security constraints to a dircetory, so I added this
to my web.xml:
<security-constraint>
<display-name>UQoS Amin Area</display-name>
<web-resource-collection>
<web-resource-name>UQoS Amin Area</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
I use BASIC authentication using the memory realm.
Works like it supposed to when someone goes to my http://xxx/webapp/Admin/ or
something below, HOWEVER, if they type http://xxx/webapp//Admin/ (or even
more slashes), all security checkings are bypassed, anyone arr let right in !
(same things happens always, try it with the 'security' example shipped with
Tomcat.
Sever bug!, I have posted it to BugZilla. This applies to atleast Tomcat
3.2.1 and 3.2.2.
And I need it fixedas soon as possible. Does anyone know a workaround to
thisone.(I'd rather not upgrade to Tomcat 4 yet,seems like its fixed here.)
--
Nils O. Sel�sdal
