On Thu, 14 Feb 2002, Mark Thill wrote:
> Date: Thu, 14 Feb 2002 07:05:26 -0800 (PST)
> From: Mark Thill <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: TC4 Realm Problem
>
> I just started testing realms with the default
> installation that comes with Tomcat 4.0.1, so I'm
> using the MemoryRealm. I'm having an issue where if I
> place a servlet in a non-secure area and a jsp page in
> a secure area that I can use:
>
> getServletContext().getRequestDispatcher(url).forward(request,
> response);
>
> from the servlet to seemingly bypass the security
> addressed by the realm and forward right into the
> secure area without authenticating. Can anyone tell
> me if this is by design, am I doing something wrong,
> or if this is maybe a bug.
>
No, it is not a bug. Security constraints only apply to the *original*
request URI from the user. Applications are assumed to know what they are
doing -- if the app doesn't want the user to follow a particular forward,
it shouldn't execute that forward.
> Thanks
> Mark T.
>
Craig
--
To unsubscribe: <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>
