Return-Path: Delivered-To: apmail-jakarta-tomcat-user-archive@apache.org Received: (qmail 50510 invoked from network); 10 Jan 2003 02:10:52 -0000 Received: from exchange.sun.com (192.18.33.10) by daedalus.apache.org with SMTP; 10 Jan 2003 02:10:52 -0000 Received: (qmail 27187 invoked by uid 97); 10 Jan 2003 02:11:56 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-user@jakarta.apache.org Received: (qmail 27171 invoked by uid 97); 10 Jan 2003 02:11:55 -0000 Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Users List" Reply-To: "Tomcat Users List" Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 27159 invoked by uid 98); 10 Jan 2003 02:11:55 -0000 X-Antivirus: nagoya (v4218 created Aug 14 2002) Message-ID: <002901c2b84d$72f9a0b0$bcac6041@winter> From: "Jeffrey Winter" To: "Tomcat Users List" References: <20030109174118.B1680-100000@icarus.apache.org> Subject: Re: Authentication and Filters Date: Thu, 9 Jan 2003 21:10:29 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N > A key rule to remember is that security constraints are applied *only* on > the original URL requested by the client -- not on RequestDispatcher > calls. I would bet you probably have "/resource/*" protected, but you'll > likely want to protect "/user/*" as well. Thanks, this is a great help. You're right, for /user/*, GET requires authentication, but POST doesn't which looks to be why it was working as I had outlined it. But actually, given the nature of how I need to authenticate my resources, it seems that I would be better off in this particular circumstance to use Apache's mod_rewrite to setup the urls which would eliminate the RequestDispatcher altogether. -- To unsubscribe, e-mail: For additional commands, e-mail: