tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeffrey Winter" <>
Subject Re: Authentication and Filters
Date Fri, 10 Jan 2003 02:10:29 GMT
> A key rule to remember is that security constraints are applied *only* on
> the original URL requested by the client -- not on RequestDispatcher
> calls.  I would bet you probably have "/resource/*" protected, but you'll
> likely want to protect "/user/*" as well.

Thanks, this is a great help.  You're right, for /user/*, GET requires
but POST doesn't which looks to be why it was working as I had outlined it.

But actually, given the nature of how I need to authenticate my resources,
it seems
that I would be better off in this particular circumstance to use Apache's
to setup the urls which would eliminate the RequestDispatcher altogether.

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message