tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matt Goss <mg...@rtci.com>
Subject Re: Security and Forward
Date Wed, 01 Nov 2000 14:09:08 GMT
Hi,
what if you use a redirect instead of forward?
Matt Goss

"Craig R. McClanahan" wrote:

> Carole HEBRARD wrote:
>
> > Hi.
> >
> > I have the following behaviour in Tomcat 3.2b6 on Windows NT.
> > I protect a page P using security-constraint in the deployment
> > descriptor. So when I call this page, the browser asks me for a
> > login/password.
> > Now, I have a JSP page which is    <jsp:forward page "P">.
> > When I call the JSP page, I see the P page without giving any
> > login/password.
> >
> > I think that this is a security hole.
> > Does anyone have already see that behaviour? Is it a bug or is it ok?
> >
>
> This was recently clarified in discussions for servlet 2.3.  Security
> constraints apply only on the initial request URI, not on the URIs used
> for request dispatchers.  The assumption is that your application knows
> whether or not the forwarded-to page is acceptable, or it would not have
> done the forward in the first place.
>
> In 2.3, the same rule applies to filters -- they are only based on the
> original request URI.
>
> >
> > Best Regards,
> > Carole H├ębrard.
>
> Craig McClanahan

Mime
View raw message