You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Cosyns <xc...@noctis.be> on 2003/04/18 15:13:46 UTC

Form based auth with jsp:include

Hi,
 
I am doing some tests with tomcat and the form based authentification
and I have the following issue:
 
I got a jsp in a non protected directory which includes a protected
sub-jsp. I hoped the fact of accessing a protected resource would force
me to go to the login screen but apparently it does not and gives access
to my protected pages without authentification!
I wonder why does it work this way and if there is a way around this?
 
Anybody has an explanation?
 
Thanks in advance,
Cosyns Xavier,

Re: Form based auth with jsp:include

Posted by Gary Gwin <to...@cafesoft.com>.

Try putting the include jsp in WEB-INF, which restricts HTTP access.

Gary

Cosyns wrote:
> Hi,
>  
> I am doing some tests with tomcat and the form based authentification
> and I have the following issue:
>  
> I got a jsp in a non protected directory which includes a protected
> sub-jsp. I hoped the fact of accessing a protected resource would force
> me to go to the login screen but apparently it does not and gives access
> to my protected pages without authentification!
> I wonder why does it work this way and if there is a way around this?
>  
> Anybody has an explanation?
>  
> Thanks in advance,
> Cosyns Xavier,
> 

-- 

Gary Gwin
http://www.cafesoft.com

*****************************************************************
*                                                               *
*   The Cafesoft Access Management System, Cams, is security    *
*   software that provides single sign-on authentication and    *
*   centralized access control for Apache, Tomcat, and custom   *
*   resources.                                                  *
*                                                               *
*****************************************************************


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Form based auth with jsp:include

Posted by Tim Funk <fu...@joedog.org>.

The security constraints defined in web.xml are only imposed on the incoming 
request URL. That is a restriction of the spec.


-Tim

Cosyns wrote:
> Hi,
>  
> I am doing some tests with tomcat and the form based authentification
> and I have the following issue:
>  
> I got a jsp in a non protected directory which includes a protected
> sub-jsp. I hoped the fact of accessing a protected resource would force
> me to go to the login screen but apparently it does not and gives access
> to my protected pages without authentification!
> I wonder why does it work this way and if there is a way around this?
>  
> Anybody has an explanation?
>  
> Thanks in advance,
> Cosyns Xavier,
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org