> From: Brian McBride [mailto:bwm.topmea...@googlemail.com] > Subject: interaction between .forward() and <security-constraint>
> I want to have no authorization constraint because some resources have > public access and no authentication is required for access to those > resources. Declarative security is intentionally static; there's nothing in the spec that allows for the accessibility of a resource to change after deployment. If the public resources are always public, you can declare their <url-pattern> values in web.xml and omit the <auth-constraint> for those patterns - but that's only useful if everything else is protected with an <auth-constraint>. > Is there a way I can programatically cause the authentication check? If you're using programmatic security, you are responsible for the authentication and authorization. > Is there another way to implement discretionary access control, other > than implementing my own authentication mechanism? Has anyone else > solved this problem? What you're trying to do is completely outside the spec, so you're pretty much on your own. > Is Tomcat's behaviour 'correct'? There may be good reason for the > current interpretation of the spec, but from my point of view allowing > .forward() to circumvent declared security constraints is questionable. This is very plainly stated in SRV.12.2: "The security model applies to the static content part of the web application and to servlets and filters within the application that are requested by the client. The security model does not apply when a servlet uses the RequestDispatcher to invoke a static resource or servlet using a forward or an include." - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
