tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aiken, David" <David_Ai...@bmc.com>
Subject MVC problem
Date Thu, 30 Nov 2000 16:20:41 GMT
> hi all..
>
> We're hitting a problem with the MVC approach in tomcat.
>
> Our controller is designed to intercept all requests for URLs within our
> web application so that it can handle internationalization and security
> checks centrally.
>
> The problem is as follows:
> - the controller servlet registers interest in URLs of the form '*.jsp'
> - a request for 'a.jsp' arrives and the controller checks security and
> negotiates the locale settings
> - the controller includes the contents of 'a.jsp' in the response
>
> At this point it seems that tomcat takes over. Unfortunately, it doesn't
> retrieve the contents of the page - it just resubmits the request to the
> controller again, resulting in an endless loop. This also occurs for a
> 'forward'. Not good.
>
> One of the workarounds is to use URLs of the form '.do' to request page
> content. This allows the controller to forward to a .jsp URL without
> getting into a loop. The problem is that someone who knows the structure
> of the www site can submit requests for '.jsp' directly and bypass any
> security checks. The obvious workaround for this is to put tags into the
> .jsp pages and java calls into any servlets to perform the security check
> - but this negates any advantage to the MVC approach (and forces
> page/servlet developers to remember to place checks into all of their
> content).
>
> We're probably missing something - it seems difficult to believe that the
> MVC approach has such a fundamental flaw.
>
> thanks!
> David Aiken
> BMC Software

Mime
View raw message