Change Notes item #459936, was opened at 2001-09-08 23:18 You can respond by visiting: http://sourceforge.net/tracker/?func=detail&atid=381174&aid=459936&group_id=22866 Category: None Group: v2.4.1 Status: Open Priority: 5 Submitted By: Scott M Stark (starksm) Assigned to: Scott M Stark (starksm) Summary: Fix JSP include of security content Initial Comment: Fix a security problem that showed up in the 2.4.0 release. The issue is that if a secured JSP page includes a sequence of jsp includes like: <jsp:include page="test.jsp" flush="true"> <jsp:param name="name" value="d1"/> </jsp:include> <jsp:include page="test.jsp" flush="true"> <jsp:param name="name" value="d2"/> </jsp:include> <jsp:include page="test.jsp" flush="true"> <jsp:param name="name" value="d3"/> </jsp:include> <jsp:include page="test.jsp" flush="true"> <jsp:param name="name" value="d4"/> </jsp:include> where test.jsp looks up a secured stateless session bean, only the first include succeeds. The later includes fail because the security association of the servlet request thread was lost. ---------------------------------------------------------------------- You can respond by visiting: http://sourceforge.net/tracker/?func=detail&atid=381174&aid=459936&group_id=22866 _______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
