On Thu, 9 Jan 2003, Tim Funk wrote:
> Date: Thu, 09 Jan 2003 21:15:12 -0500 > From: Tim Funk <[EMAIL PROTECTED]> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > To: Tomcat Users List <[EMAIL PROTECTED]> > Subject: Re: Authentication and Filters > > Is there a chance (or worthwhile) that in Servlet API 2.5 a developer > could check if an obtained RequestDispatcher would violate a security > constraint in web.xml? > I assume you mean Servlet 2.4, right? > For example the following new method: > RequestDispatcher.isAuthorized() > Returns true if the RequestDispatcher's url passes the constraints > defined in web.xml This does not seem likely to me. Nor does it seem necessary. After all, your application has available everything it needs to know (through calls like request.getUserPrincipal() and request.isUserInRole()) to make this decision for itself. If the app chooses to forward, the container is going to assume that it knows what it is doing. Now that you can declare a Filter to be imposed on RD calls in Servlet 2.4, that might be a good place to implement a check like this. > > -Tim > Craig -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
