DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4374>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4374 bypass of authentication mechanism Summary: bypass of authentication mechanism Product: Tomcat 4 Version: 4.0.1 Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: Other Component: Unknown AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] The container based security mechanism in tomcat can be bypassed by accessing the protected page using <jsp:include/> or <jsp:forward/>. A user can access the page with a null username, where I think the login form should be displayed. This is occuring with the MemoryRealm, as well as with my custom JDBC realm implementation. It also applies to tomcat v3.2.3. I will add an attachement to this bug report which is a jsp file that can be used in the webapps/examples/jsp directory to demonstrate the problem.
