You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by cr...@locus.apache.org on 2000/11/04 22:07:28 UTC
cvs commit: jakarta-tomcat/src/doc readme
craigmcc 00/11/04 13:07:28
Modified: src/doc Tag: tomcat_32 readme
Log:
Add a note about the fact that Tomcat 3.2 applies security constraints
on request dispatcher forwards and includes.
Revision Changes Path
No revision
No revision
1.8.2.4 +16 -1 jakarta-tomcat/src/doc/readme
Index: readme
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v
retrieving revision 1.8.2.3
retrieving revision 1.8.2.4
diff -u -r1.8.2.3 -r1.8.2.4
--- readme 2000/10/13 02:52:31 1.8.2.3
+++ readme 2000/11/04 21:07:26 1.8.2.4
@@ -1,4 +1,4 @@
-$Id: readme,v 1.8.2.3 2000/10/13 02:52:31 larryi Exp $
+$Id: readme,v 1.8.2.4 2000/11/04 21:07:26 craigmcc Exp $
Release Notes for:
==================
@@ -280,3 +280,18 @@
URL. If that static page contains relative links to resources served by
Tomcat, then invoking those links would carry the mismatched case to Tomcat
where it cause the resource not to be found.
+
+6.8 Container Managed Security Constraints
+
+Due to the way that Tomcat 3.2 is implemented, container managed security
+constraints are imposed both on the original request URI *and* on subrequests
+initiated to handle RequestDispatcher.forward() or RequestDispatcher.include()
+calls. Whether or not this should actually be done was not defined in the
+Servlet 2.2 Specification, but has been clarified in 2.3 -- security
+constraints should only be applied on the original request URI.
+
+For future compatibility, you should be aware of this issue as you design your
+security constraint architecture, to avoid portability problems if you ever
+migrate to a different Servlet 2.2 container (which might implement this
+differently), or to a Servlet 2.3 container at a later date.
+