since that is by far not anything like regular expressions or anything known e.g. from ant's build.xml
Created attachment 14967 [details] RealmBase.java.patch for example /login.do will not be matched by <url-pattern>/login*</url-pattern> as per section 11.2 of the Servlet API Specification (http://java.sun.com/aboutJava/communityprocess/first/jsr053/servlet23_PFD.pdf) see also http://java.sun.com/dtd/web-app_2_3.dtd
I'm -1 to the patch, as is. A <url-pattern>/login*</url-pattern> is a perfectly valid (if somewhat strange :) exact-match pattern, so Tomcat can't fault it. I'm +1 to adding a log.warn to SecurityCollection.addPattern for questionable patterns like this, since it could only reduce the questions on tomcat-user.
Warning added to SecurityCollection. Thanks for this useful suggestion.
I think there might be a bug in this implementation which is reporting legitimate url-mappings as questionable. If I understand the original intent of this patch, should not the line that currently appears as: if (pattern.charAt(pattern.length()-1) != '/') { should be: if (pattern.charAt(pattern.length()-2) != '/') { What do you think?
(In reply to comment #4) I'm approving of comment #4. And I think that level of loggings should be unified. if (log.isDebugEnabled()) { log.debug(...); } or if (log.isWarnEnabled()) { log.warn(...); } Thanks.
Thanks for pointing out my counting error. see bug 39364 for a discussion of the broader context of such constraint urls.
It seems that this patch was applied to SecurityCollection, but without the fix mentioned in comment #4. Submitted a separate bug to fix SecurityCollection, bug 43079
This was fixed for all currently supported Tomcat versions some time ago.