tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matt Goss <mg...@rtci.com>
Subject Re: Security and Forward
Date Wed, 01 Nov 2000 15:10:16 GMT
cool, that's what I thought... thanks :)
Matt

Steve Goyette wrote:

> redirect, I believe, sends the "Location:" header to your browser.  Your
> browser then in turn makes a new request.  In this case the security
> constraint WOULD apply.  Also understand in a redirect you are dealing with
> a new request, so you must pass all the request parameters you want in the
> redirect statement.
>
> steve
>
> > From: Matt Goss <mgoss@rtci.com>
> > Organization: RTCI
> > Reply-To: tomcat-user@jakarta.apache.org
> > Date: Wed, 01 Nov 2000 09:09:08 -0500
> > To: tomcat-user@jakarta.apache.org
> > Subject: Re: Security and Forward
> >
> > Hi,
> > what if you use a redirect instead of forward?
> > Matt Goss
> >
> > "Craig R. McClanahan" wrote:
> >
> >> Carole HEBRARD wrote:
> >>
> >>> Hi.
> >>>
> >>> I have the following behaviour in Tomcat 3.2b6 on Windows NT.
> >>> I protect a page P using security-constraint in the deployment
> >>> descriptor. So when I call this page, the browser asks me for a
> >>> login/password.
> >>> Now, I have a JSP page which is    <jsp:forward page "P">.
> >>> When I call the JSP page, I see the P page without giving any
> >>> login/password.
> >>>
> >>> I think that this is a security hole.
> >>> Does anyone have already see that behaviour? Is it a bug or is it ok?
> >>>
> >>
> >> This was recently clarified in discussions for servlet 2.3.  Security
> >> constraints apply only on the initial request URI, not on the URIs used
> >> for request dispatchers.  The assumption is that your application knows
> >> whether or not the forwarded-to page is acceptable, or it would not have
> >> done the forward in the first place.
> >>
> >> In 2.3, the same rule applies to filters -- they are only based on the
> >> original request URI.
> >>
> >>>
> >>> Best Regards,
> >>> Carole H├ębrard.
> >>
> >> Craig McClanahan
> >

Mime
View raw message