tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Goyette <>
Subject Re: Security and Forward
Date Wed, 01 Nov 2000 13:42:35 GMT
redirect, I believe, sends the "Location:" header to your browser.  Your
browser then in turn makes a new request.  In this case the security
constraint WOULD apply.  Also understand in a redirect you are dealing with
a new request, so you must pass all the request parameters you want in the
redirect statement.


> From: Matt Goss <>
> Organization: RTCI
> Reply-To:
> Date: Wed, 01 Nov 2000 09:09:08 -0500
> To:
> Subject: Re: Security and Forward
> Hi,
> what if you use a redirect instead of forward?
> Matt Goss
> "Craig R. McClanahan" wrote:
>> Carole HEBRARD wrote:
>>> Hi.
>>> I have the following behaviour in Tomcat 3.2b6 on Windows NT.
>>> I protect a page P using security-constraint in the deployment
>>> descriptor. So when I call this page, the browser asks me for a
>>> login/password.
>>> Now, I have a JSP page which is    <jsp:forward page "P">.
>>> When I call the JSP page, I see the P page without giving any
>>> login/password.
>>> I think that this is a security hole.
>>> Does anyone have already see that behaviour? Is it a bug or is it ok?
>> This was recently clarified in discussions for servlet 2.3.  Security
>> constraints apply only on the initial request URI, not on the URIs used
>> for request dispatchers.  The assumption is that your application knows
>> whether or not the forwarded-to page is acceptable, or it would not have
>> done the forward in the first place.
>> In 2.3, the same rule applies to filters -- they are only based on the
>> original request URI.
>>> Best Regards,
>>> Carole H├ębrard.
>> Craig McClanahan

View raw message