tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chema <demablo...@gmail.com>
Subject Re: Security Constraints With URL Rewrite filter
Date Wed, 21 Dec 2011 23:04:19 GMT
Well, I don't know about this , but

What is the "URLRewrite" filter ? A Servlet filter ?

You can try to write a Valve and test if it works. I think it's
processed before calling container code. Maybe ...
Or to configure a proxy web to rewrite . I did't make this before, but
I know it's possible. If I find some info about this, I send it to you

Bye

2011/12/21 Jerry Malcolm <2ndgenfilms@gmail.com>:
> I structure my webapps with different JSP folders for different user role
> access, and define the folder patterns in web.xml for each role access.
> This has worked for many years in my webapps.  But in the interest of
> getting cleaner URLs, I've written a URLRewrite filter.  The rewrite filter
> is correctly rewriting the URLs and forwarding the requests.  But I just
> noticed something I hadn't counted on.  The security constraints no longer
> apply to the call to the rewritten URLs from the filter.  In other words,
> JSPs in /jsp/admin folder are configured to require "admin" role.  But I
> can call a JSP from inside the filter to /jsp/admin/myadmintask.jsp and no
> security challenge occurs.
>
> I guess this makes sense to me.  I just wasn't expecting it.  I assume that
> the security constraint now applies to the pattern that come INTO the
> filter.  So instead of constraining /jsp/myadmintask/*.jsp in web.xml, I
> now need to constrain the inbound url "/doadmin".  Is that correct?
>
> I just need some education here.  Is it correct that should map all of the
> URL patterns that come INTO the rewrite filter?  Alternatively, is there
> some way for me to do the requestdispatcher.forward call from the filter,
> and tell it to honor security constraints on the folder structure like it
> worked prior to adding the rewrite function?
>
> Thanks.
>
> Jerry

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message