On Mon, 17 Feb 2003, Donald Ball wrote:
> Date: Mon, 17 Feb 2003 11:44:16 -0500 > From: Donald Ball <[EMAIL PROTECTED]> > Reply-To: Tomcat Developers List <[EMAIL PROTECTED]> > To: Tomcat Developers List <[EMAIL PROTECTED]> > Subject: Re: Request to Fix Tomcat Standalone 302 redirect Issue > > Tim Funk wrote: > > > A patch (which I didn't look at yet) could introduce the following: > > - Bypassing a security contraints, eg:index.jsp is protected but / isn't > > - Vulnerabilities - Through a wacky optimizations, other pages might > > get accidently exposed > > > Just curious... I assume the patch uses RequestDispatcher.forward to > handle the request, right? But these checks should already be done by > the RequestDispatcher, otherwise _anything_ that uses rd.forward could > break security. So if we trust rd, what's the issue? If we don't, um, > why _not_? > Security constraints are only checked on the original request URL, not on RD.forward or RD.include calls -- the container assumes that the application knows what it is doing in executing those calls within the app. If the container wants to use RD (or the internal equivalent) to implement welcome file support, or other container level features like error files, it had better pay attention to the security constraints. > - donald Craig --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
