Mark Thill wrote:
>
> if I place a servlet in a non-secure area and a jsp page in
> a secure area I can use:
>
> getRequestDispatcher(url).forward(request, response);
>
> to seemingly bypass the security. Can anyone tell me if
> this is by design
>
SRV.12.2 Declarative Security
The security model applies to the static content
part of the web application and to servlets within
the application that are requested by the client.
The security model does not apply when a servlet
uses the RequestDispatcher to invoke a static
resource or servlet using a forward or an include.
The spec is available at:
http://java.sun.com/products/servlet/download.html
--
Christopher St. John [EMAIL PROTECTED]
DistribuTopia http://www.distributopia.com
--
To unsubscribe: <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>
