tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject cvs commit: jakarta-tomcat/src/doc readme
Date Sat, 04 Nov 2000 21:07:28 GMT
craigmcc    00/11/04 13:07:28

  Modified:    src/doc  Tag: tomcat_32 readme
  Add a note about the fact that Tomcat 3.2 applies security constraints
  on request dispatcher forwards and includes.
  Revision  Changes    Path
  No                   revision
  No                   revision   +16 -1     jakarta-tomcat/src/doc/readme
  Index: readme
  RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v
  retrieving revision
  retrieving revision
  diff -u -r1.8.2.3 -r1.8.2.4
  --- readme	2000/10/13 02:52:31
  +++ readme	2000/11/04 21:07:26
  @@ -1,4 +1,4 @@
  -$Id: readme,v 2000/10/13 02:52:31 larryi Exp $
  +$Id: readme,v 2000/11/04 21:07:26 craigmcc Exp $
                              Release Notes for:
  @@ -280,3 +280,18 @@
   URL. If that static page contains relative links to resources served by
   Tomcat, then invoking those links would carry the mismatched case to Tomcat
   where it cause the resource not to be found.
  +6.8 Container Managed Security Constraints
  +Due to the way that Tomcat 3.2 is implemented, container managed security
  +constraints are imposed both on the original request URI *and* on subrequests
  +initiated to handle RequestDispatcher.forward() or RequestDispatcher.include()
  +calls.  Whether or not this should actually be done was not defined in the
  +Servlet 2.2 Specification, but has been clarified in 2.3 -- security
  +constraints should only be applied on the original request URI.
  +For future compatibility, you should be aware of this issue as you design your
  +security constraint architecture, to avoid portability problems if you ever
  +migrate to a different Servlet 2.2 container (which might implement this
  +differently), or to a Servlet 2.3 container at a later date.

View raw message