> From: Jerry Malcolm [mailto:2ndgenfi...@gmail.com] > Subject: Security Constraints With URL Rewrite filter
> I assume that the security constraint now applies to the > pattern that come INTO the filter. Not sure what you mean by "now applies", but it's always that way. > So instead of constraining /jsp/myadmintask/*.jsp in web.xml, I > now need to constrain the inbound url "/doadmin". Is that correct? Since we don't really know what your new URLs are, we can't say, can we? > I just need some education here. The first place to look to find out how things are supposed to work is the servlet spec; SRV.12.2 says: "The security model applies to the static content part of the web application and to servlets and filters within the application that are requested by the client. The security model does not apply when a servlet uses the RequestDispatcher to invoke a static resource or servlet using a forward or an include." (Admittedly, the above doesn't mention filters, but the intent appears to be that any use of RequestDispatcher is done after security constraints have been satisfied so that such use can retrieve otherwise inaccessible resources.) > Alternatively, is there some way for me to do the > requestdispatcher.forward call from the filter, and tell it to > honor security constraints on the folder structure like it > worked prior to adding the rewrite function? Don't think so, since security constraints are applied very early in the request processing cycle, before any servlet/filter processing occurs. You could configure the UrlRewriteFilter to do a redirect instead of a forward - but that would expose the rewritten URLs to the client. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
