>From the spec:

****
The security model applies to the static content part of the web
application
and to servlets within the application that are requested by the client.
The security
model does not apply when a servlet uses the RequestDispatcher to invoke
a
static resource or servlet using a forward or an include.
****
 
So for forward and include, Tomcat is merely following the spec. ("works
as intended").  But for an actual response.sendRedirect(), I'm not sure
why that wouldn't work.  It will be a brand new request from your
browser, and if you are sendRedirecting *to* a secured resource, you
should be authenticated.  


> -----Original Message-----
> From: John MccLain [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, February 24, 2004 11:26 AM
> To: Tomcat user list
> Subject: Security and includes question
> 
> 
> IN reading a Tomcat manual, I noticed that security 
> constraints are only applied via client interactions with the 
> secured object. I.E., If you redirect from within a secured 
> object to another secured object, the redirection is not 
> authenticated. Is there a way in Tomcat to secure ALL the 
> objects you need and only use declarative security to 
> authorize access to your objects instead of programmatic 
> security where you check for authorization in code??
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to