"Craig R. McClanahan" wrote:
> [...]
> This kind of function re-use makes sense -- however, it has a disturbing
> implication in this case. The implementation of processRequest() calls
> the contextMap() and requestMap() methods of all configured request
> interceptors. This means (among other things) that security
> constraints, if you are using container managed security, will be called
> on the original request *and* on the forwarded-to or included servlet.
>
> This behavior wasn't really specfied in servlet 2.2, but it was
> clarified in 2.3 -- security constraints are only to be applied on the
> original request URI, not when doing request dispatcher stuff.
>
> Because it was unspecified in 2.2, I recommend we just note this as an
> issue in the Tomcat 3.2 release notes -- unless someone wants to dig in
> and do the intricate special casing necessary to make this work the way
> that 2.3 would require. Any thoughts?
Are you sure that it's not special-cased somewhere else? I have an example
with a servlet performing access control that uses forward() to invoke JSP
pages that are protected from direct access in web.xml (using BASIC
authentication). This works fine in TC 3.2 Beta 6. Either I'm missing
something or this code has changed between Beta 6 and now.
Hans
--
Hans Bergsten [EMAIL PROTECTED]
Gefion Software http://www.gefionsoftware.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
