Thanks Tim, your first sentence I think answers my question about "does it indeed only work on client requests".
But that's not quite the situation here... It's still a request for a resource 1. request /dispatcher?page=fookey 2. dispatcher translates fookey to /somepage/somewhere.jsp 3. a request for /somepage/somewhere.jsp is made 4. somepage/somewhere.jsp has a security constraint not being honoured. And this is because security constraints are only checked for client-side requests, and not through forwarded or included requests (serverside). Filters currently act this way (the filter mappings are not honoured when server-side requests are made). Do you (or anyone else) think that AUTH mappings should be 'enhanced' as well, so that forwards/includes will be checked? (like Filters have changed for 2.4) > -----Original Message----- > From: Tim Funk [mailto:[EMAIL PROTECTED] > Sent: Friday, August 01, 2003 11:52 AM > To: Tomcat Users List > Subject: Re: FORM Login Bypassed > > > Security constraints are imposed on the incoming url. > > Query strings are not used in servlet mapping declarations. > > -Tim > > > Ronnie wrote: > > Hi! > > > > I have this web application using FORM login access but I am having > > problem directing the navigation to the defined login page > when user > > clicks on a secure link. > > > > You see, I am using a DispatcherServlet as a navigation > controller to > > direct users to the correct page and the URL is coded as: > > > > <a href="dispatcher?action=admin">admin</a> > > > > Where "dispatcher" is the URL name of the DispatcherServlet. In the > > servlet, "admin" is translated to "/computers/admin/index.jsp" from > > values coded in web.xml. > > > > Now when I declare the protected url-pattern as > "/computers/admin/*" > > as below, when I click on the above link the login page is bypassed > > and I can access the admin index page without logging in. > > > > <security-constraint> > > <web-resource-collection> > > <web-resource-name>Administration > functions</web-resource-name> > > <!-- > <url-pattern>dispatcher?action=admin</url-pattern> Does > not work! --> > > <url-pattern>/computers/admin/*</url-pattern> > > </web-resource-collection> > > <auth-constraint> > > <!-- Anyone with one of the listed roles may access > this area --> > > <role-name>admin</role-name> > > </auth-constraint> > > > > <!-- HTTPS/SSL--> > > <user-data-constraint> > > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > > </user-data-constraint> > > </security-constraint> > > > > <login-config> > > <auth-method>FORM</auth-method> > > <form-login-config> > > <form-login-page>dispatcher?action=adminLogin</form-login-page> > > > <form-error-page>dispatcher?action=adminLoginFail</form-error-page> > > </form-login-config> > > </login-config> > > > > To overcome this I had to hardcode the link in my webpage as: <a > > href="/Computers/computers/admin/index.jsp">admin</a> > > > > I wish to keep my navigation based on logical names. Is there a > > work-around or solution to this problem? > > > > > > > > Regards, > > Ronnie Choo > > Singapore > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
