My point is only the incoming request is protected by the security constraint in web.xml. It may be nice to allow the programmer to also check future dispatches for authorization before the dispatch occurs.
RequestDispatcher.isAuthorized() was to allow an admin to define additional security contraints in web.xml without writing code. This also requires the cooperation of the developer of a webapp to check for this condition too.
Sorry for starting to take this off-topic.
-Tim
Craig R. McClanahan wrote:
On Thu, 9 Jan 2003, Tim Funk wrote:Date: Thu, 09 Jan 2003 21:15:12 -0500 From: Tim Funk <[EMAIL PROTECTED]> Reply-To: Tomcat Users List <[EMAIL PROTECTED]> To: Tomcat Users List <[EMAIL PROTECTED]> Subject: Re: Authentication and Filters Is there a chance (or worthwhile) that in Servlet API 2.5 a developer could check if an obtained RequestDispatcher would violate a security constraint in web.xml?I assume you mean Servlet 2.4, right?For example the following new method: RequestDispatcher.isAuthorized() Returns true if the RequestDispatcher's url passes the constraints defined in web.xmlThis does not seem likely to me. Nor does it seem necessary. After all, your application has available everything it needs to know (through calls like request.getUserPrincipal() and request.isUserInRole()) to make this decision for itself. If the app chooses to forward, the container is going to assume that it knows what it is doing. Now that you can declare a Filter to be imposed on RD calls in Servlet 2.4, that might be a good place to implement a check like this.-TimCraig
-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
