Hi, > -----Original Message----- > From: Mark Thill [mailto:[EMAIL PROTECTED]] > Sent: Thursday, February 14, 2002 5:05 PM > To: [EMAIL PROTECTED] > Subject: TC4 Realm Problem > > > I just started testing realms with the default > installation that comes with Tomcat 4.0.1, so I'm > using the MemoryRealm. I'm having an issue where if I > place a servlet in a non-secure area and a jsp page in > a secure area that I can use: > > getServletContext().getRequestDispatcher(url).forward(request, > response); > > from the servlet to seemingly bypass the security > addressed by the realm and forward right into the > secure area without authenticating. Can anyone tell > me if this is by design, am I doing something wrong, > or if this is maybe a bug. >
All you need to answer your question is Servlet Specification. <spec name="Java Servlet Specification" version="2.3" part="SRV.12.2"> ... The security model applies to the static content part of the web application and to servlets within the application that are requested by the client. The security model does not apply when a servlet uses the RequestDispatcher to invoke a static resource or servlet using a forward or an include. </spec> > Thanks > Mark T. > Anton -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
