You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Cosyns <xc...@noctis.be> on 2003/04/18 15:13:46 UTC
Form based auth with jsp:include
Hi,
I am doing some tests with tomcat and the form based authentification
and I have the following issue:
I got a jsp in a non protected directory which includes a protected
sub-jsp. I hoped the fact of accessing a protected resource would force
me to go to the login screen but apparently it does not and gives access
to my protected pages without authentification!
I wonder why does it work this way and if there is a way around this?
Anybody has an explanation?
Thanks in advance,
Cosyns Xavier,
Re: Form based auth with jsp:include
Posted by Gary Gwin <to...@cafesoft.com>.
Try putting the include jsp in WEB-INF, which restricts HTTP access.
Gary
Cosyns wrote:
> Hi,
>
> I am doing some tests with tomcat and the form based authentification
> and I have the following issue:
>
> I got a jsp in a non protected directory which includes a protected
> sub-jsp. I hoped the fact of accessing a protected resource would force
> me to go to the login screen but apparently it does not and gives access
> to my protected pages without authentification!
> I wonder why does it work this way and if there is a way around this?
>
> Anybody has an explanation?
>
> Thanks in advance,
> Cosyns Xavier,
>
--
Gary Gwin
http://www.cafesoft.com
*****************************************************************
* *
* The Cafesoft Access Management System, Cams, is security *
* software that provides single sign-on authentication and *
* centralized access control for Apache, Tomcat, and custom *
* resources. *
* *
*****************************************************************
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Form based auth with jsp:include
Posted by Tim Funk <fu...@joedog.org>.
The security constraints defined in web.xml are only imposed on the incoming
request URL. That is a restriction of the spec.
-Tim
Cosyns wrote:
> Hi,
>
> I am doing some tests with tomcat and the form based authentification
> and I have the following issue:
>
> I got a jsp in a non protected directory which includes a protected
> sub-jsp. I hoped the fact of accessing a protected resource would force
> me to go to the login screen but apparently it does not and gives access
> to my protected pages without authentification!
> I wonder why does it work this way and if there is a way around this?
>
> Anybody has an explanation?
>
> Thanks in advance,
> Cosyns Xavier,
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org