tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Caldarale, Charles R" <>
Subject RE: Security Constraints With URL Rewrite filter
Date Thu, 22 Dec 2011 04:41:19 GMT
> From: Jerry Malcolm [] 
> Subject: Security Constraints With URL Rewrite filter

> I assume that the security constraint now applies to the 
> pattern that come INTO the filter.

Not sure what you mean by "now applies", but it's always that way.

> So instead of constraining /jsp/myadmintask/*.jsp in web.xml, I
> now need to constrain the inbound url "/doadmin".  Is that correct?

Since we don't really know what your new URLs are, we can't say, can we?

> I just need some education here.

The first place to look to find out how things are supposed to work is the servlet spec; SRV.12.2

"The security model applies to the static content part of the web application and to servlets
and filters within the application that are requested by the client.  The security model does
not apply when a servlet uses the RequestDispatcher to invoke a static resource or servlet
using a forward or an include."

(Admittedly, the above doesn't mention filters, but the intent appears to be that any use
of RequestDispatcher is done after security constraints have been satisfied so that such use
can retrieve otherwise inaccessible resources.)

> Alternatively, is there some way for me to do the 
> requestdispatcher.forward call from the filter, and tell it to 
> honor security constraints on the folder structure like it
> worked prior to adding the rewrite function?

Don't think so, since security constraints are applied very early in the request processing
cycle, before any servlet/filter processing occurs.  You could configure the UrlRewriteFilter
to do a redirect instead of a forward - but that would expose the rewritten URLs to the client.

 - Chuck

for use only by the intended recipient. If you received this in error, please contact the
sender and delete the e-mail and its attachments from all computers.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message