See the servlet spec. I know for version 2.3 of the spec (which is tomcat4
stuff) - security is applied only to the incoming URL. (The same went for
filters too)
For 2.4 - I know that filters can be applied on RequestDispatcher.include and
RequestDispatcher.forward. So security constraints
I do have a question regarding security across appfuse and other
webapps. Currently, I have two separate web applications running under
Tomcat (5.0.26):
- tdx (which is a version of appfuse)
- jGallery (which dynamically serves images)
The way jGallery works is that it 'crossmaps' image gallery