It is possible under certain circumstances to bypass the web security model when running the J2EE SDK 1.2.1 on Windows platforms and unintentionally to expose static content or JSPs to unauthorized users. This problem does not affect users on Unix® based platforms.
This affects J2EE applications containing one or more web applications that use the security constraint mechanism to protect web content against unauthorized users. The vulnerability stems from the RI using case sensitive matches for security constraints, but using a case insensitive match for requests either for static content or JSPs in the Windows version. There is no known vulnerability allowing unauthorized access to servlets written in the Java programming language.
Since the J2EE SDK is a reference implementation of the J2EE platform specifications and so was not designed or written for production use, we do not think that this issue affects your ability to use it to learn about J2EE technology, and prototype J2EE applications using the J2EE SDK. We will be addressing this particular issue in a future release.