Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Message-Id: <sa23e096.016@topgun.adsyg.com>
Date: Tue, 28 Nov 2000 16:42:43 -0500
From: "Charlie Hinson" <chinson@adsyg.com>
To: <tomcat-user@jakarta.apache.org>
Subject: Re: Protected Page Assertion method
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Yes this is what we have found. Therefore, we have created our own by =
revealing several request methods through the facade. This works great for =
us, but doesn't lend itself to sites that host for multiple organizations. =
Since this is very useful for complex web sites, I would consider =
submitting some work in this area if I could get some input from the team. =
The proposed method would reside in the request facade (?), ie. request.ass=
ertPageAuth(pathToCheck). Along with this, the ability to authenticate/auth=
orize is necessary. Which I have also implemented in my servlet container. =
Who on the team is working in this area and would be willing to help or =
give some useful design input?


Charlie

>>> Craig.McClanahan@eng.sun.com 11/28/00 03:42PM >>>
Charlie Hinson wrote:

> Is there an easy way to tell if a page is going to require authentication=
/authorization before it is dynamically included within a jsp/servlet.
>
> Charlie

If you are using container-managed security, pages that are included (with =
<jsp:include> or RequestDispatcher.include()) do not have security
constraints applies against them.  The servlet container only looks at the =
request URI of the original request to decide what security constraint
to apply.

If you are managing security inside your own application, the answer to =
this question is totally dependent on your application.

Craig McClanahan