> From: Mark Thomas [mailto:ma...@apache.org] > Subject: Re: Request not forwarded to login page with > security-constraintafter session time-out > > If "*" is all roles defined and you have no roles > defined then you are basically preventing anyone > from accessing that resource
That's not quite what it says. The actual wording: "The special role name "*" is a shorthand for all role names defined in the deployment descriptor. An authorization constraint that names no roles indicates that access to the constrained requests must not be permitted under any circumstances." In the OP's case, the authorization constraint does name roles, albeit just the shorthand version. What the spec is not explicit about is the combination of "*" with an empty or non-existant <security-role> list. The OP (and others) have interpreted the "*" and no <security-role> list to indicate no roles are needed for authorization. For all we know, the intent of the spec writers may have been to allow that. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
