On Mon, 2 Dec 2002, Bill Barker wrote:
> Date: Mon, 2 Dec 2002 23:50:08 -0800 > From: Bill Barker <[EMAIL PROTECTED]> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: Filters don't affect request dispatcher forward > > > "Craig R. McClanahan" <[EMAIL PROTECTED]> wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > > > On 2 Dec 2002, Alexander Wallace wrote: > > > > > Date: 02 Dec 2002 18:41:26 -0600 > > > From: Alexander Wallace <[EMAIL PROTECTED]> > > > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > > > To: Tomcat Users List <[EMAIL PROTECTED]> > > > Subject: Filters don't affect request dispatcher forward > > > > > > Hi there. I wrote a filter to ensure that resources that i want accessed > > > using https are, and the ones that don't need to aren't. > > > > > > I found out that filters are only applied if the request came from the > > > user, by typing the url or using a link, etc. They are not used if the > > > resource is called using request dispatcher. > > > > > > Supposedly this is becouse of a lack of specifications in the servlet > > > api, but that should be fixed in the api used by tomcat 5. > > > > > > Is all this correct? > > > > Yes, basically. > > > > > Is there a work around while tomcat 5 is released? > > > > You can use a security constraint with a <transport-guarantee> element to > > require that certain accesses be performed only on SSL connections. Then, > > the container will do the necessary redirect for you. > > Urm, on my reading of the 2.3 spec, this would be a bug if Tomcat 4.x > enforces a <transport-guarantee> on a rd.forward/include. You're correct ... security constraints (including transport guarantees) are only applied on the initial request. I was offering an alternative to using a filter for this purpose -- let the container do the work for you. Not to mention that it's not actually possible to switch to SSL in the middle of an existing HTTP request *without* doing a redirect ... Craig -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
