tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carole HEBRARD <carole.hebr...@netcelo.com>
Subject Security and Forward
Date Tue, 31 Oct 2000 08:26:15 GMT
Hi.

I have the following behaviour in Tomcat 3.2b6 on Windows NT.
I protect a page P using security-constraint in the deployment
descriptor. So when I call this page, the browser asks me for a
login/password.
Now, I have a JSP page which is    <jsp:forward page "P">.
When I call the JSP page, I see the P page without giving any
login/password.

I think that this is a security hole.
Does anyone have already see that behaviour? Is it a bug or is it ok?

Best Regards,
Carole H├ębrard.


Mime
View raw message