> 6.8 Container Managed Security Constraints
> Due to the way that Tomcat 3.2 is implemented, container managed security
> constraints are imposed both on the original request URI *and* on subrequests
> initiated to handle RequestDispatcher.forward() or RequestDispatcher.include()
> calls.
Since I did part of the implementation, my intention was to check the
security constraints on forward and include.
The reason - it's a huge security hole to not check them ( IMHO ) - a site
running multiple webapps ( with different security constraints ) may be
compromised if the constraints of the original requests are propagated on
forward. ( you can get a request dispatcher for a different webapp - and
then call include for a "secure" page ). Disabling access to other webapps
is not allways possible or a good idea.
Of course, in 2.3 that seems to be required by the spec - I just hope I'm
wrong and there is a way to avoid the security hole.
> This does *not* seem to be the case. I have an example that uses the RD to
> forward() to JSP pages that are protected from direct access using BASIC
> authentication. It works exactly as it should: forward() invokes them but
> a direct access prompts for username/password. You may want to look at
If this is the case probably something changed in the implementation, and
we should at least find out if the danger is real and document that.
Costin
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
