tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hans Bergsten <>
Subject Re: [Tomcat 3.2 Issue] Security Constraints on RequestDispatcher Calls
Date Sat, 04 Nov 2000 22:43:28 GMT
"Craig R. McClanahan" wrote:
> [...]
> This kind of function re-use makes sense -- however, it has a disturbing
> implication in this case.  The implementation of processRequest() calls
> the contextMap() and requestMap() methods of all configured request
> interceptors.  This means (among other things) that security
> constraints, if you are using container managed security, will be called
> on the original request *and* on the forwarded-to or included servlet.
> This behavior wasn't really specfied in servlet 2.2, but it was
> clarified in 2.3 -- security constraints are only to be applied on the
> original request URI, not when doing request dispatcher stuff.
> Because it was unspecified in 2.2, I recommend we just note this as an
> issue in the Tomcat 3.2 release notes -- unless someone wants to dig in
> and do the intricate special casing necessary to make this work the way
> that 2.3 would require.  Any thoughts?

Are you sure that it's not special-cased somewhere else? I have an example
with a servlet performing access control that uses forward() to invoke JSP
pages that are protected from direct access in web.xml (using BASIC 
authentication). This works fine in TC 3.2 Beta 6. Either I'm missing
something or this code has changed between Beta 6 and now.

Hans Bergsten
Gefion Software

View raw message