tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Caldarale, Charles R" <>
Subject RE: interaction between .forward() and <security-constraint>
Date Sat, 04 Sep 2010 14:20:28 GMT
> From: Brian McBride [] 
> Subject: interaction between .forward() and <security-constraint>

> I want to have no authorization constraint because some resources have 
> public access and no authentication is required for access to those 
> resources.

Declarative security is intentionally static; there's nothing in the spec that allows for
the accessibility of a resource to change after deployment.  If the public resources are always
public, you can declare their <url-pattern> values in web.xml and omit the <auth-constraint>
for those patterns - but that's only useful if everything else is protected with an <auth-constraint>.

> Is there a way I can programatically cause the authentication check?

If you're using programmatic security, you are responsible for the authentication and authorization.

> Is there another way to implement discretionary access control, other 
> than implementing my own authentication mechanism?  Has anyone else 
> solved this problem?

What you're trying to do is completely outside the spec, so you're pretty much on your own.

> Is Tomcat's behaviour 'correct'?  There may be good reason for the 
> current interpretation of the spec, but from my point of view allowing 
> .forward() to circumvent declared security constraints is questionable.

This is very plainly stated in SRV.12.2:

"The security model applies to the static content part of the web application and to servlets
and filters within the application that are requested by the client.  The security model does
not apply when a servlet uses the RequestDispatcher to invoke a static resource or servlet
using a forward or an include."

 - Chuck

for use only by the intended recipient. If you received this in error, please contact the
sender and delete the e-mail and its attachments from all computers.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message