tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <>
Subject Re: Security Constraints With URL Rewrite filter
Date Thu, 22 Dec 2011 04:45:57 GMT
2011/12/22 Jerry Malcolm <>:
> I structure my webapps with different JSP folders for different user role
> access, and define the folder patterns in web.xml for each role access.
> This has worked for many years in my webapps.  But in the interest of
> getting cleaner URLs, I've written a URLRewrite filter.  The rewrite filter
> is correctly rewriting the URLs and forwarding the requests.  But I just
> noticed something I hadn't counted on.  The security constraints no longer
> apply to the call to the rewritten URLs from the filter.  In other words,
> JSPs in /jsp/admin folder are configured to require "admin" role.  But I
> can call a JSP from inside the filter to /jsp/admin/myadmintask.jsp and no
> security challenge occurs.

Yes, constraints are applied to incoming URLs only.

One you have reached the web application, the web application itself
can forward/include jsps and servlets from any addresses inside of it.

One similar example (not related to authentication) is that you can
place JSPs into WEB-INF folder.  Those will not be accessible from
outside, but they will be accessible when you programmatically forward
to them /include them. That is useful when using MVC design pattern .

If you want to be sure, try reading the Servlet spec.

> I guess this makes sense to me.  I just wasn't expecting it.  I assume that
> the security constraint now applies to the pattern that come INTO the
> filter.  So instead of constraining /jsp/myadmintask/*.jsp in web.xml, I
> now need to constrain the inbound url "/doadmin".  Is that correct?
> I just need some education here.  Is it correct that should map all of the
> URL patterns that come INTO the rewrite filter?

Yes. Though note that URL pattern matching in web.xml is less powerful
than the one in urlrewrite filter.  Only prefixes or extensions. No

>  Alternatively, is there
> some way for me to do the requestdispatcher.forward call from the filter,
> and tell it to honor security constraints on the folder structure like it
> worked prior to adding the rewrite function?

You cannot trigger it from a filter. Maybe you can do from a Valve
(because it has access to Tomcat internals), but that would still be

It is possible to use 3-rd party filters (or a custom filter) as a
replacement to container-manager security. Note that you have to
explicitly configure filter-mapping to match forwarded or included
requests (see the spec).

Best regards,
Konstantin Kolinko

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message