> A key rule to remember is that security constraints are applied *only* on > the original URL requested by the client -- not on RequestDispatcher > calls.
On last thing, is this a part of the servlet spec, or is it left unstated and this is just Tomcat's particular implementation? Thanks -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
