tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Security and Forward
Date Tue, 31 Oct 2000 19:04:26 GMT
Carole HEBRARD wrote:

> Hi.
> I have the following behaviour in Tomcat 3.2b6 on Windows NT.
> I protect a page P using security-constraint in the deployment
> descriptor. So when I call this page, the browser asks me for a
> login/password.
> Now, I have a JSP page which is    <jsp:forward page "P">.
> When I call the JSP page, I see the P page without giving any
> login/password.
> I think that this is a security hole.
> Does anyone have already see that behaviour? Is it a bug or is it ok?

This was recently clarified in discussions for servlet 2.3.  Security
constraints apply only on the initial request URI, not on the URIs used
for request dispatchers.  The assumption is that your application knows
whether or not the forwarded-to page is acceptable, or it would not have
done the forward in the first place.

In 2.3, the same rule applies to filters -- they are only based on the
original request URI.

> Best Regards,
> Carole H├ębrard.

Craig McClanahan

View raw message