You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Mark Thill <ma...@yahoo.com> on 2002/02/14 16:05:26 UTC

TC4 Realm Problem

I just started testing realms with the default
installation that comes with Tomcat 4.0.1, so I'm
using the MemoryRealm.  I'm having an issue where if I
place a servlet in a non-secure area and a jsp page in
a secure area that I can use:

getServletContext().getRequestDispatcher(url).forward(request,
response);

from the servlet to seemingly bypass the security
addressed by the realm and forward right into the
secure area without authenticating.  Can anyone tell
me if this is by design, am I doing something wrong,
or if this is maybe a bug.

Thanks
Mark T.

__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com

--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>

Re: TC4 Realm Problem

Posted by "Christopher K. St. John" <ck...@distributopia.com>.

Mark Thill wrote:
> 
> if I place a servlet in a non-secure area and a jsp page in
> a secure area I can use: 
>
>   getRequestDispatcher(url).forward(request, response);
>
> to seemingly bypass the security. Can anyone tell me if
> this is by design
> 

    SRV.12.2 Declarative Security

    The security model applies to the static content
    part of the web application and to servlets within
    the application that are requested by the client.
    The security model does not apply when a servlet
    uses the RequestDispatcher to invoke a static
    resource or servlet using a forward or an include.

 The spec is available at:

   http://java.sun.com/products/servlet/download.html

-- 
Christopher St. John cks@distributopia.com
DistribuTopia http://www.distributopia.com

--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>

Re: TC4 Realm Problem

Posted by "Craig R. McClanahan" <cr...@apache.org>.


On Thu, 14 Feb 2002, Mark Thill wrote:

> Date: Thu, 14 Feb 2002 07:05:26 -0800 (PST)
> From: Mark Thill <ma...@yahoo.com>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: tomcat-user@jakarta.apache.org
> Subject: TC4 Realm Problem
>
> I just started testing realms with the default
> installation that comes with Tomcat 4.0.1, so I'm
> using the MemoryRealm.  I'm having an issue where if I
> place a servlet in a non-secure area and a jsp page in
> a secure area that I can use:
>
> getServletContext().getRequestDispatcher(url).forward(request,
> response);
>
> from the servlet to seemingly bypass the security
> addressed by the realm and forward right into the
> secure area without authenticating.  Can anyone tell
> me if this is by design, am I doing something wrong,
> or if this is maybe a bug.
>

No, it is not a bug.  Security constraints only apply to the *original*
request URI from the user.  Applications are assumed to know what they are
doing -- if the app doesn't want the user to follow a particular forward,
it shouldn't execute that forward.

> Thanks
> Mark T.
>

Craig


--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>