tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jerry Malcolm <>
Subject Security Constraints With URL Rewrite filter
Date Wed, 21 Dec 2011 20:55:14 GMT
I structure my webapps with different JSP folders for different user role
access, and define the folder patterns in web.xml for each role access.
This has worked for many years in my webapps.  But in the interest of
getting cleaner URLs, I've written a URLRewrite filter.  The rewrite filter
is correctly rewriting the URLs and forwarding the requests.  But I just
noticed something I hadn't counted on.  The security constraints no longer
apply to the call to the rewritten URLs from the filter.  In other words,
JSPs in /jsp/admin folder are configured to require "admin" role.  But I
can call a JSP from inside the filter to /jsp/admin/myadmintask.jsp and no
security challenge occurs.

I guess this makes sense to me.  I just wasn't expecting it.  I assume that
the security constraint now applies to the pattern that come INTO the
filter.  So instead of constraining /jsp/myadmintask/*.jsp in web.xml, I
now need to constrain the inbound url "/doadmin".  Is that correct?

I just need some education here.  Is it correct that should map all of the
URL patterns that come INTO the rewrite filter?  Alternatively, is there
some way for me to do the requestdispatcher.forward call from the filter,
and tell it to honor security constraints on the folder structure like it
worked prior to adding the rewrite function?



  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message