tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Goyette <st...@wildfire.net>
Subject Re: Security and Forward
Date Wed, 01 Nov 2000 13:42:35 GMT
redirect, I believe, sends the "Location:" header to your browser.  Your
browser then in turn makes a new request.  In this case the security
constraint WOULD apply.  Also understand in a redirect you are dealing with
a new request, so you must pass all the request parameters you want in the
redirect statement.

steve


> From: Matt Goss <mgoss@rtci.com>
> Organization: RTCI
> Reply-To: tomcat-user@jakarta.apache.org
> Date: Wed, 01 Nov 2000 09:09:08 -0500
> To: tomcat-user@jakarta.apache.org
> Subject: Re: Security and Forward
> 
> Hi,
> what if you use a redirect instead of forward?
> Matt Goss
> 
> "Craig R. McClanahan" wrote:
> 
>> Carole HEBRARD wrote:
>> 
>>> Hi.
>>> 
>>> I have the following behaviour in Tomcat 3.2b6 on Windows NT.
>>> I protect a page P using security-constraint in the deployment
>>> descriptor. So when I call this page, the browser asks me for a
>>> login/password.
>>> Now, I have a JSP page which is    <jsp:forward page "P">.
>>> When I call the JSP page, I see the P page without giving any
>>> login/password.
>>> 
>>> I think that this is a security hole.
>>> Does anyone have already see that behaviour? Is it a bug or is it ok?
>>> 
>> 
>> This was recently clarified in discussions for servlet 2.3.  Security
>> constraints apply only on the initial request URI, not on the URIs used
>> for request dispatchers.  The assumption is that your application knows
>> whether or not the forwarded-to page is acceptable, or it would not have
>> done the forward in the first place.
>> 
>> In 2.3, the same rule applies to filters -- they are only based on the
>> original request URI.
>> 
>>> 
>>> Best Regards,
>>> Carole H├ębrard.
>> 
>> Craig McClanahan
> 


Mime
View raw message