Tomcat 4.1 container authentication on jsp:forward

Discussion in 'Java' started by Pavel, Aug 12, 2004.

  1. Pavel

    Pavel Guest

    Greetings to all -

    I've got a problem with Tomcat 4.1.30 container authentication. I'm
    using BASIC authentication and overall it works fine. But I've noticed
    that I can access a protected resource via jsp:forward.

    Here is my security-constraint:
    <security-constraint>
    <web-resource-collection>
    <url-pattern>*.do</url-pattern>
    <url-pattern>/tiles/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>SuperUser</role-name>
    </auth-constraint>
    </security-constraint>

    So /index.jsp is not there but all it does is a forward to the
    protected resource: <jsp:forward page="/myAction.do"/>

    I know weblogic takes care of it via
    <container-descriptor>
    <check-auth-on-forward/>
    </container-descriptor>
    in weblogic.xml.

    Is there a similar solution to this in Tomcat 1.4 besides adding
    <url-pattern>/index.jsp</url-pattern> to
    web-resource-collection?

    I do not want to add <url-pattern>*.jsp</url-pattern> since I'd like
    to have some JSPs to be unprotected - /error.jsp is one example.

    Any suggestions are appreciated.
    Thank you.
    Pavel
     
    Pavel, Aug 12, 2004
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.