tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: Security question
Date Sun, 02 Sep 2001 05:31:13 GMT


On Wed, 29 Aug 2001, Achim Baier wrote:

>
> Now my question:
> Am I wrong-minded, is it bug or is it a jsp/servlet/j2ee-feature? Any
> comments?
>

Security constraints that you mention in your web.xml deployment
descriptor are *only* applied to the original request URI, *not* to any
request URI that is included by your servlet or JSP page.  That is by
design.

If the content from a particular include should not be displayed to a
particular user (because they don't have a required role), you should not
be doing the include in the first place.

> Thanks in advance,
> Achim
>

Craig McClanahan



Mime
View raw message