On Wed, 29 Aug 2001, Achim Baier wrote:
>
> Now my question:
> Am I wrong-minded, is it bug or is it a jsp/servlet/j2ee-feature? Any
> comments?
>
Security constraints that you mention in your web.xml deployment
descriptor are *only* applied to the original request URI, *not* to any
request URI that is included by your servlet or JSP page. That is by
design.
If the content from a particular include should not be displayed to a
particular user (because they don't have a required role), you should not
be doing the include in the first place.
> Thanks in advance,
> Achim
>
Craig McClanahan
