On Thu, 9 Jan 2003, Jeffrey Winter wrote:
> Date: Thu, 9 Jan 2003 21:12:06 -0500 > From: Jeffrey Winter <[EMAIL PROTECTED]> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > To: Tomcat Users List <[EMAIL PROTECTED]> > Subject: Re: Authentication and Filters > > > A key rule to remember is that security constraints are applied *only* on > > the original URL requested by the client -- not on RequestDispatcher > > calls. > > On last thing, is this a part of the servlet spec, or is it left unstated > and this is just Tomcat's particular implementation? > It's in the spec, but more by omission than comission (i.e. there is no statement that security constraints *are* imposed on RD calls). This is likely to be clarified and explicitly stated in Servlet 2.4. This is definitely not a Tomcat-only feature. Same thing goes for filter invocations, by the way -- in Servlet 2.3, the filter chain is built only on the original request, not on RD calls. In Servlet 2.4, though, you'll have the option to say that your filter should also be called on RD.forward and/or RD.include calls. > Thanks Craig -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
