tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeffrey Winter" <jeffreywin...@attbi.com>
Subject Re: Authentication and Filters
Date Fri, 10 Jan 2003 02:10:29 GMT
> A key rule to remember is that security constraints are applied *only* on
> the original URL requested by the client -- not on RequestDispatcher
> calls.  I would bet you probably have "/resource/*" protected, but you'll
> likely want to protect "/user/*" as well.

Thanks, this is a great help.  You're right, for /user/*, GET requires
authentication,
but POST doesn't which looks to be why it was working as I had outlined it.

But actually, given the nature of how I need to authenticate my resources,
it seems
that I would be better off in this particular circumstance to use Apache's
mod_rewrite
to setup the urls which would eliminate the RequestDispatcher altogether.


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message