tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Achim Baier" <>
Subject Security question
Date Wed, 29 Aug 2001 13:50:45 GMT
Hello everybody, 

I just tried to make a HTTPS connection to a web-application on tomcat
3.2.2. Because of the documentation it was not difficult but I
recognized something I want to ask about.

I have a directory "/secure/". Every resource inside is protected by
"web.xml" security constraint (pattern "/secure/*" transport-guarantee
"CONFIDENTIAL"). In this directory I have 2 files ("index_1.jsp" and
"component.jsp"). I also have another JSP page ("index_2.jsp") outside
the secured directory. "index_1.jsp" makes a <jsp:include

If I try to view "index_1.jsp" (or "component.jsp" directly) I have to
use HTTPS and to login. But if "index_2.jsp" also does a <jsp:include
page="component.jsp"> I'm able to view the page with HTTP and without
login. Because <jsp:include> is executed at request time it should (be
able to) check permissions. 

I could use "userInRole" and check the schema inside "component.jsp" but
this would break my goal to just use declarative security. My business
layer objects could check this (if I use EJBs I could also use
declaratice security) but I still have a bad feeling about that. It will
be possible to view secured content within every JSP-page. It's not
enough to look at the deployment descriptor and the page/component which
should be protected but also to every other page.

Now my question:
Am I wrong-minded, is it bug or is it a jsp/servlet/j2ee-feature? Any

Thanks in advance,

View raw message