I structure my webapps with different JSP folders for different user role access, and define the folder patterns in web.xml for each role access. This has worked for many years in my webapps. But in the interest of getting cleaner URLs, I've written a URLRewrite filter. The rewrite filter is correctly rewriting the URLs and forwarding the requests. But I just noticed something I hadn't counted on. The security constraints no longer apply to the call to the rewritten URLs from the filter. In other words, JSPs in /jsp/admin folder are configured to require "admin" role. But I can call a JSP from inside the filter to /jsp/admin/myadmintask.jsp and no security challenge occurs.
I guess this makes sense to me. I just wasn't expecting it. I assume that the security constraint now applies to the pattern that come INTO the filter. So instead of constraining /jsp/myadmintask/*.jsp in web.xml, I now need to constrain the inbound url "/doadmin". Is that correct? I just need some education here. Is it correct that should map all of the URL patterns that come INTO the rewrite filter? Alternatively, is there some way for me to do the requestdispatcher.forward call from the filter, and tell it to honor security constraints on the folder structure like it worked prior to adding the rewrite function? Thanks. Jerry