tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carole HEBRARD <>
Subject Security and Forward
Date Tue, 31 Oct 2000 08:26:15 GMT

I have the following behaviour in Tomcat 3.2b6 on Windows NT.
I protect a page P using security-constraint in the deployment
descriptor. So when I call this page, the browser asks me for a
Now, I have a JSP page which is    <jsp:forward page "P">.
When I call the JSP page, I see the P page without giving any

I think that this is a security hole.
Does anyone have already see that behaviour? Is it a bug or is it ok?

Best Regards,
Carole H├ębrard.

View raw message