> -----Original Message-----
> From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]]
> Sent: November 15, 2000 8:51 PM
> To: [EMAIL PROTECTED]
> Subject: Re: *.jsp "back door" issue
>
> Joel Schneider wrote:
>
> > Description of Problem:
> >
> > A typical Struts based web site might be configured to have requests
> > matching the pattern"*.do" sent to the ActionServlet.
> After a request is
> > handled by its Action class, processing is typically
> forwarded to a .jsp
> > page.
> >
> > However, it's also possible for users to directly request a
> .jsp page.
> > When this happens, the JSP container (in my case, Orion)
> will process the
> > .jsp page without any involvement by the ActionServlet.
> Some .jsp pages
> > may yield unexpected results when called in this manner.
> >
>
> Besides David Geary's suggestion, another approach is
> supported by the servlet
> API if you are using container-managed security for your
> application. You can
> define a security constraint that lists no roles as being
> allowed, which the
> servlet container will interpret as not allowing access to
> anyone directly
> from a request. You can forward to (or include) such a page
> -- just not
> request it directly.
>
> Note that this behavior was not clearly specified in the 2.2
> servlet spec, so
> your mileage might vary there -- but all 2.3 containers are
> required to act
> this way.
Can you clarify this (I don't have the Servlet 2.3 specs around right now,
but will look this up myself later if needed.
I have actually noticed that Resin 1.2 and TomCat 3.2 differ in this
respect. If you have declarative security set for your paths, and you come
in from the browser, but servlet engines will redirect you to a login if
needed, and check roles on access. If you then internally do a forward to
another url, Resin will agian check roles, while TomCat will not. Are you
saying that Resin is not compliant with the Servlet 2.3 specs, and TomCat
is?
