[EMAIL PROTECTED] wrote:
>
> > 6.8 Container Managed Security Constraints
> > Due to the way that Tomcat 3.2 is implemented, container managed security
> > constraints are imposed both on the original request URI *and* on subrequests
> > initiated to handle RequestDispatcher.forward() or RequestDispatcher.include()
> > calls.
>
> Since I did part of the implementation, my intention was to check the
> security constraints on forward and include.
>
> The reason - it's a huge security hole to not check them ( IMHO ) - a site
> running multiple webapps ( with different security constraints ) may be
> compromised if the constraints of the original requests are propagated on
> forward. ( you can get a request dispatcher for a different webapp - and
> then call include for a "secure" page ). Disabling access to other webapps
> is not allways possible or a good idea.
>
> Of course, in 2.3 that seems to be required by the spec - I just hope I'm
> wrong and there is a way to avoid the security hole.
2.3 assumes that security is handled at the web app level, by restricting
access to RDs for another app. This is also in the 2.1 spec. I'm not sure
I understand why you think that's "not always possible or a good idea."
> > This does *not* seem to be the case. I have an example that uses the RD to
> > forward() to JSP pages that are protected from direct access using BASIC
> > authentication. It works exactly as it should: forward() invokes them but
> > a direct access prompts for username/password. You may want to look at
>
> If this is the case probably something changed in the implementation, and
> we should at least find out if the danger is real and document that.
I'll try to take a look at the code today or tomorrow to see what's going
on. But the way it works now (at least in my test case) is the way it
should work according to 2.3, so I agree that we should leave it as it is
and just document how it works (if it's different than 2.3 after all and
if those differences poses a security threat).
Hans
--
Hans Bergsten [EMAIL PROTECTED]
Gefion Software http://www.gefionsoftware.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
