> -----Original Message----- > From: Neven Cvetkovic [mailto:neven.cvetko...@gmail.com] > Sent: Tuesday, April 23, 2013 5:29 PM > To: Tomcat Users List > Subject: Re: Question on servlet determination > > > > ________________________________ > > > From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] > > > <web-app> > > > <security-constraint> > > > <web-resource-collection> > > > <web-resource-name>Everything</web-resource-name> > > > <url-pattern>*.jsp</url-pattern> > > > <url-pattern>*.html</url-pattern> > > > <url-pattern>*.js</url-pattern> > > > <url-pattern>/Servlet1</url-pattern> > > > <url-pattern>/Servlet2</url-pattern> > > > </web-resource-collection> > > > > Jeffrey, why don't you just use "catch all" url pattern? > > Is there anything that you don't want to be part of the same security > constraint? In this case security constraint just enforces SSL, but > could do other things, check roles, etc. In that case you might want to > split secure and non-secure resources ... (e.g. login page should not > be secure and login action should be secure, etc...) > > What are you trying to achieve? > > Cheers! > Neven > IIRC, I originally had the "/*" entry, back in Tomcat 4.x, but it wouldn't force the move to https for any files directly asked for in the top level. For example, http://myhost/login.jsp would not switch to https until after you entered your login information. If I get some free time, I'll probably be retesting, but, yes, I'm also going to be adding a section that will be using a different auth method for a third servlet.
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
