Hi. I have the following behaviour in Tomcat 3.2b6 on Windows NT. I protect a page P using security-constraint in the deployment descriptor. So when I call this page, the browser asks me for a login/password. Now, I have a JSP page which is <jsp:forward page "P">. When I call the JSP page, I see the P page without giving any login/password. I think that this is a security hole. Does anyone have already see that behaviour? Is it a bug or is it ok? Best Regards, Carole Hébrard.
- Re: Security and Forward Carole HEBRARD
- Re: Security and Forward Craig R. McClanahan
- RE: Security and Forward Willie Wheeler
- Re: Security and Forward Matt Goss
- Re: Security and Forward Steve Goyette
- Re: Security and Forward Matt Goss
- Re: Security and Forward Craig R. McClanahan
- Re: Security and Forward Carole HEBRARD
- Re: Security and Forward Pierre Delisle