Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

My Security Constraints are Not Being Applied to my Welcome Files

Unfortunately this is not a bug, but a flaw with the servlet spec and with tomcat.

The servlet spec says that welcome files can be implemented with redirect, Dispatcher.forward or
with "a mechanism indistinguishable to a direct request'. Jetty offers the first two options for which
security are well defined (applies to redirection, does not apply to forwards).

The indistinguishable option is used by tomcat and is poorly defined as to what that means
with regards to security. For the 2.5 specification there was a discussion within the expert
group about this, which concluded that the constraints should be applied before
welcome file mapping. The glassfish fork of tomcat has been updated to represent this, but
I am not sure if tomcat has yet been corrected.

Contact the core Jetty developers at
private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ... scalability guidance for your apps and Ajax/Comet projects ... development services from 1 day to full product delivery