You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Achim Baier <Ac...@records.de> on 2001/08/29 15:50:45 UTC

Security question

Hello everybody, 

I just tried to make a HTTPS connection to a web-application on tomcat
3.2.2. Because of the documentation it was not difficult but I
recognized something I want to ask about.

I have a directory "/secure/". Every resource inside is protected by
"web.xml" security constraint (pattern "/secure/*" transport-guarantee
"CONFIDENTIAL"). In this directory I have 2 files ("index_1.jsp" and
"component.jsp"). I also have another JSP page ("index_2.jsp") outside
the secured directory. "index_1.jsp" makes a <jsp:include
page="component.jsp">. 

If I try to view "index_1.jsp" (or "component.jsp" directly) I have to
use HTTPS and to login. But if "index_2.jsp" also does a <jsp:include
page="component.jsp"> I'm able to view the page with HTTP and without
login. Because <jsp:include> is executed at request time it should (be
able to) check permissions. 

I could use "userInRole" and check the schema inside "component.jsp" but
this would break my goal to just use declarative security. My business
layer objects could check this (if I use EJBs I could also use
declaratice security) but I still have a bad feeling about that. It will
be possible to view secured content within every JSP-page. It's not
enough to look at the deployment descriptor and the page/component which
should be protected but also to every other page.

Now my question:
Am I wrong-minded, is it bug or is it a jsp/servlet/j2ee-feature? Any
comments?

Thanks in advance,
Achim

Re: Security question

Posted by "Craig R. McClanahan" <cr...@apache.org>.

On Wed, 29 Aug 2001, Achim Baier wrote:

>
> Now my question:
> Am I wrong-minded, is it bug or is it a jsp/servlet/j2ee-feature? Any
> comments?
>

Security constraints that you mention in your web.xml deployment
descriptor are *only* applied to the original request URI, *not* to any
request URI that is included by your servlet or JSP page.  That is by
design.

If the content from a particular include should not be displayed to a
particular user (because they don't have a required role), you should not
be doing the include in the first place.

> Thanks in advance,
> Achim
>

Craig McClanahan