Mark Thill wrote: > > if I place a servlet in a non-secure area and a jsp page in > a secure area I can use: > > getRequestDispatcher(url).forward(request, response); > > to seemingly bypass the security. Can anyone tell me if > this is by design >
SRV.12.2 Declarative Security The security model applies to the static content part of the web application and to servlets within the application that are requested by the client. The security model does not apply when a servlet uses the RequestDispatcher to invoke a static resource or servlet using a forward or an include. The spec is available at: http://java.sun.com/products/servlet/download.html -- Christopher St. John [EMAIL PROTECTED] DistribuTopia http://www.distributopia.com -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>