Message-ID: <360280294.5925.1369539471814.JavaMail.email@example.com> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_5924_504086587.1369539471813" ------=_Part_5924_504086587.1369539471813 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Unfortunately this is not a bug, but a flaw with the servlet spec and wi= th tomcat.
The servlet spec says that welcome files can be implemented with redirec=
t, Dispatcher.forward or
with "a mechanism indistinguishable to a direct request'. Jetty offe= rs the first two options for which
security are well defined (applies to redirection, does not apply to forwar= ds).
The indistinguishable option is used by tomcat and is poorly defined as =
to what that means
with regards to security. For the 2.5 specification there was a discussion= within the expert
group about this, which concluded that the constraints should be applied be= fore
welcome file mapping. The glassfish fork of tomcat has been updated to re= present this, but
I am not sure if tomcat has yet been corrected.