Please, do not waste reviewers time directing public discussion to
security@ lists at the ASF. The developers who would resolve any such
issue reside at their respective dev@ lists.
If you want to point out an undisclosed, undiscussed issue, then the
appropriate security@ list would be the place
2010/12/8 Obinna :
> Though not a bug, I can imagine that this unexpected behavior can catch many
> developers out and can be difficult to diagnose. It also requires that
> security considerations be handled (or at least considered) in the jsp,
> which seems to break proper separation of concerns
