struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: [OT] - Realm Security - How to set overlapping constraints?
Date Mon, 07 Jul 2003 16:29:10 GMT

On Mon, 7 Jul 2003, Max Cooper wrote:

> Date: Mon, 7 Jul 2003 07:26:42 -0700
> From: Max Cooper <>
> Reply-To: Struts Users Mailing List <>
> To: Struts Users Mailing List <>
> Subject: Re: [OT] - Realm Security - How to set overlapping constraints?
> ----- Original Message -----
> From: "Navjot Singh" <>
> > Thanks Craig,
> >
> > Reversing the order of constraints does work. I should have RTFM.
> That kind of surprises me. The Servlet Spec v2.3 section SRV 11.1 says that
> exact patterns should be tried first, then paths (longest to shortest, by
> number of elements), then extensions, then the default servlet (/). The
> description of each of these types of patterns is also in the spec (the
> rules are simple and clear). Going by the spec, I would think that it would
> try /p/ first, since it is an exact pattern, and it would fail (403
> error) there if the user didn't have the admin role. Perhaps there is
> something going on since the servlet mapping pattern is *.do. Craig, any
> input on what is going on there?

This whole topic has been the subject of several very long threads on the
servlet EG mailing list, because the intent of referring to Section 11.1
was to describe the valid syntax for URL expressions, not the priority
order of matching.  The bottom line is that is's currently somewhat
ambiguous, and different containers sometimes behave differently.  I've
described what Tomcat does (and it's the basis of the reference

We tried to detangle the ambiguities in Servlet 2.4 (currently in Proposed
Final Draft) -- I'd be interested in your feedback on whether we

Feedback can be sent to for the servlet


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message