>-----Original Message----- >From: André Warnier [mailto:a...@ice-sa.com] >Subject: Re: Dynamic Security Constraints? > >Addenda : >1) ... You'd have to think carefully of where you place these >files to download, so that Tomcat does not unwittingly provide the >possibility for a user to download such a file directly (bypassing the >login) by providing a URL that points to the file directly.
Not to change the subject, but I hear a lot of people talking about the point you're making about where to place the file and unwittingly providing a URL to access it outside of a security constraint. Perhaps there is some design history to this that people used to do that I am just missing, so could someone please enlighten me? If I place a file in a webapp context of customerx, and restrict access to everything in the customerx url pattern to a specific login, how can that URL be accessed outside of a security check? Are people doing something else when they deploy their apps that would allow the situation you are describing? Are they creating a separate docBase? --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org