tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject [Tomcat 3.2 Issue] Security Constraints on RequestDispatcher Calls
Date Sat, 04 Nov 2000 21:00:27 GMT
While researching the isues related to BugRat Bug Report #213
("RequestDispatcher does not propogate errors"), I became aware that, in
the implementation of RequestDispatcher.forward() and
(org.apache.tomcat.facade.RequestDispatcherImpl) the method
ContextManager.processRequest() is called to perform the mapping of the
forwarded or included request to the appropriate servlet.

This kind of function re-use makes sense -- however, it has a disturbing
implication in this case.  The implementation of processRequest() calls
the contextMap() and requestMap() methods of all configured request
interceptors.  This means (among other things) that security
constraints, if you are using container managed security, will be called
on the original request *and* on the forwarded-to or included servlet.

This behavior wasn't really specfied in servlet 2.2, but it was
clarified in 2.3 -- security constraints are only to be applied on the
original request URI, not when doing request dispatcher stuff.

Because it was unspecified in 2.2, I recommend we just note this as an
issue in the Tomcat 3.2 release notes -- unless someone wants to dig in
and do the intricate special casing necessary to make this work the way
that 2.3 would require.  Any thoughts?

Craig McClanahan

View raw message