it currently does not allow this. Apparently this ability will be added to the servlet spec 2.4 which would then be implemented in tomcat 5.x
Charlie > -----Original Message----- > From: Jacob Hookom [mailto:[EMAIL PROTECTED]] > Sent: Friday, January 10, 2003 9:37 AM > To: 'Tomcat Users List' > Subject: RE: Authentication and Filters > > > Authentication aside, does the servlet container work such that an > include or RD operation has the option of passing through the filter? > If so, as of which release? > > Best Regards, > Jacob > > | -----Original Message----- > | From: Tim Funk [mailto:[EMAIL PROTECTED]] > | Sent: Friday, January 10, 2003 6:30 AM > | To: Tomcat Users List > | Subject: Re: Authentication and Filters > | > | I meant 2.5 since changes to 2.4 are closed from my position in the > dev > | community. > | > | My point is only the incoming request is protected by the security > | constraint in web.xml. It may be nice to allow the > programmer to also > | check future dispatches for authorization before the > dispatch occurs. > | > | RequestDispatcher.isAuthorized() was to allow an admin to define > | additional security contraints in web.xml without writing code. This > | also requires the cooperation of the developer of a webapp to check > for > | this condition too. > | > | Sorry for starting to take this off-topic. > | > | -Tim > | > | Craig R. McClanahan wrote: > | > > | > On Thu, 9 Jan 2003, Tim Funk wrote: > | > > | > > | >>Date: Thu, 09 Jan 2003 21:15:12 -0500 > | >>From: Tim Funk <[EMAIL PROTECTED]> > | >>Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > | >>To: Tomcat Users List <[EMAIL PROTECTED]> > | >>Subject: Re: Authentication and Filters > | >> > | >>Is there a chance (or worthwhile) that in Servlet API 2.5 a > developer > | >>could check if an obtained RequestDispatcher would violate a > security > | >>constraint in web.xml? > | >> > | > > | > > | > I assume you mean Servlet 2.4, right? > | > > | > > | >>For example the following new method: > | >>RequestDispatcher.isAuthorized() > | >>Returns true if the RequestDispatcher's url passes the constraints > | >>defined in web.xml > | > > | > > | > This does not seem likely to me. Nor does it seem > necessary. After > | all, > | > your application has available everything it needs to > know (through > | calls > | > like request.getUserPrincipal() and > request.isUserInRole()) to make > this > | > decision for itself. If the app chooses to forward, the container > is > | > going to assume that it knows what it is doing. > | > > | > Now that you can declare a Filter to be imposed on RD calls in > Servlet > | > 2.4, that might be a good place to implement a check like this. > | > > | > > | >>-Tim > | >> > | > > | > > | > Craig > | > > | > | > | -- > | To unsubscribe, e-mail: <mailto:tomcat-user- > | [EMAIL PROTECTED]> > | For additional commands, e-mail: <mailto:tomcat-user- > | [EMAIL PROTECTED]> > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>