You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Steve Goyette <st...@wildfire.net> on 2000/11/01 14:42:35 UTC
Re: Security and Forward
redirect, I believe, sends the "Location:" header to your browser. Your
browser then in turn makes a new request. In this case the security
constraint WOULD apply. Also understand in a redirect you are dealing with
a new request, so you must pass all the request parameters you want in the
redirect statement.
steve
> From: Matt Goss <mg...@rtci.com>
> Organization: RTCI
> Reply-To: tomcat-user@jakarta.apache.org
> Date: Wed, 01 Nov 2000 09:09:08 -0500
> To: tomcat-user@jakarta.apache.org
> Subject: Re: Security and Forward
>
> Hi,
> what if you use a redirect instead of forward?
> Matt Goss
>
> "Craig R. McClanahan" wrote:
>
>> Carole HEBRARD wrote:
>>
>>> Hi.
>>>
>>> I have the following behaviour in Tomcat 3.2b6 on Windows NT.
>>> I protect a page P using security-constraint in the deployment
>>> descriptor. So when I call this page, the browser asks me for a
>>> login/password.
>>> Now, I have a JSP page which is <jsp:forward page "P">.
>>> When I call the JSP page, I see the P page without giving any
>>> login/password.
>>>
>>> I think that this is a security hole.
>>> Does anyone have already see that behaviour? Is it a bug or is it ok?
>>>
>>
>> This was recently clarified in discussions for servlet 2.3. Security
>> constraints apply only on the initial request URI, not on the URIs used
>> for request dispatchers. The assumption is that your application knows
>> whether or not the forwarded-to page is acceptable, or it would not have
>> done the forward in the first place.
>>
>> In 2.3, the same rule applies to filters -- they are only based on the
>> original request URI.
>>
>>>
>>> Best Regards,
>>> Carole Hébrard.
>>
>> Craig McClanahan
>
Re: Security and Forward
Posted by Matt Goss <mg...@rtci.com>.
cool, that's what I thought... thanks :)
Matt
Steve Goyette wrote:
> redirect, I believe, sends the "Location:" header to your browser. Your
> browser then in turn makes a new request. In this case the security
> constraint WOULD apply. Also understand in a redirect you are dealing with
> a new request, so you must pass all the request parameters you want in the
> redirect statement.
>
> steve
>
> > From: Matt Goss <mg...@rtci.com>
> > Organization: RTCI
> > Reply-To: tomcat-user@jakarta.apache.org
> > Date: Wed, 01 Nov 2000 09:09:08 -0500
> > To: tomcat-user@jakarta.apache.org
> > Subject: Re: Security and Forward
> >
> > Hi,
> > what if you use a redirect instead of forward?
> > Matt Goss
> >
> > "Craig R. McClanahan" wrote:
> >
> >> Carole HEBRARD wrote:
> >>
> >>> Hi.
> >>>
> >>> I have the following behaviour in Tomcat 3.2b6 on Windows NT.
> >>> I protect a page P using security-constraint in the deployment
> >>> descriptor. So when I call this page, the browser asks me for a
> >>> login/password.
> >>> Now, I have a JSP page which is <jsp:forward page "P">.
> >>> When I call the JSP page, I see the P page without giving any
> >>> login/password.
> >>>
> >>> I think that this is a security hole.
> >>> Does anyone have already see that behaviour? Is it a bug or is it ok?
> >>>
> >>
> >> This was recently clarified in discussions for servlet 2.3. Security
> >> constraints apply only on the initial request URI, not on the URIs used
> >> for request dispatchers. The assumption is that your application knows
> >> whether or not the forwarded-to page is acceptable, or it would not have
> >> done the forward in the first place.
> >>
> >> In 2.3, the same rule applies to filters -- they are only based on the
> >> original request URI.
> >>
> >>>
> >>> Best Regards,
> >>> Carole Hébrard.
> >>
> >> Craig McClanahan
> >