Authentication aside, does the servlet container work such that an include or RD operation has the option of passing through the filter? If so, as of which release?
Best Regards, Jacob | -----Original Message----- | From: Tim Funk [mailto:[EMAIL PROTECTED]] | Sent: Friday, January 10, 2003 6:30 AM | To: Tomcat Users List | Subject: Re: Authentication and Filters | | I meant 2.5 since changes to 2.4 are closed from my position in the dev | community. | | My point is only the incoming request is protected by the security | constraint in web.xml. It may be nice to allow the programmer to also | check future dispatches for authorization before the dispatch occurs. | | RequestDispatcher.isAuthorized() was to allow an admin to define | additional security contraints in web.xml without writing code. This | also requires the cooperation of the developer of a webapp to check for | this condition too. | | Sorry for starting to take this off-topic. | | -Tim | | Craig R. McClanahan wrote: | > | > On Thu, 9 Jan 2003, Tim Funk wrote: | > | > | >>Date: Thu, 09 Jan 2003 21:15:12 -0500 | >>From: Tim Funk <[EMAIL PROTECTED]> | >>Reply-To: Tomcat Users List <[EMAIL PROTECTED]> | >>To: Tomcat Users List <[EMAIL PROTECTED]> | >>Subject: Re: Authentication and Filters | >> | >>Is there a chance (or worthwhile) that in Servlet API 2.5 a developer | >>could check if an obtained RequestDispatcher would violate a security | >>constraint in web.xml? | >> | > | > | > I assume you mean Servlet 2.4, right? | > | > | >>For example the following new method: | >>RequestDispatcher.isAuthorized() | >>Returns true if the RequestDispatcher's url passes the constraints | >>defined in web.xml | > | > | > This does not seem likely to me. Nor does it seem necessary. After | all, | > your application has available everything it needs to know (through | calls | > like request.getUserPrincipal() and request.isUserInRole()) to make this | > decision for itself. If the app chooses to forward, the container is | > going to assume that it knows what it is doing. | > | > Now that you can declare a Filter to be imposed on RD calls in Servlet | > 2.4, that might be a good place to implement a check like this. | > | > | >>-Tim | >> | > | > | > Craig | > | | | -- | To unsubscribe, e-mail: <mailto:tomcat-user- | [EMAIL PROTECTED]> | For additional commands, e-mail: <mailto:tomcat-user- | [EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
