P
Pavel
Greetings to all -
I've got a problem with Tomcat 4.1.30 container authentication. I'm
using BASIC authentication and overall it works fine. But I've noticed
that I can access a protected resource via jsp:forward.
Here is my security-constraint:
<security-constraint>
<web-resource-collection>
<url-pattern>*.do</url-pattern>
<url-pattern>/tiles/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>SuperUser</role-name>
</auth-constraint>
</security-constraint>
So /index.jsp is not there but all it does is a forward to the
protected resource: <jsp:forward page="/myAction.do"/>
I know weblogic takes care of it via
<container-descriptor>
<check-auth-on-forward/>
</container-descriptor>
in weblogic.xml.
Is there a similar solution to this in Tomcat 1.4 besides adding
<url-pattern>/index.jsp</url-pattern> to
web-resource-collection?
I do not want to add <url-pattern>*.jsp</url-pattern> since I'd like
to have some JSPs to be unprotected - /error.jsp is one example.
Any suggestions are appreciated.
Thank you.
Pavel
I've got a problem with Tomcat 4.1.30 container authentication. I'm
using BASIC authentication and overall it works fine. But I've noticed
that I can access a protected resource via jsp:forward.
Here is my security-constraint:
<security-constraint>
<web-resource-collection>
<url-pattern>*.do</url-pattern>
<url-pattern>/tiles/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>SuperUser</role-name>
</auth-constraint>
</security-constraint>
So /index.jsp is not there but all it does is a forward to the
protected resource: <jsp:forward page="/myAction.do"/>
I know weblogic takes care of it via
<container-descriptor>
<check-auth-on-forward/>
</container-descriptor>
in weblogic.xml.
Is there a similar solution to this in Tomcat 1.4 besides adding
<url-pattern>/index.jsp</url-pattern> to
web-resource-collection?
I do not want to add <url-pattern>*.jsp</url-pattern> since I'd like
to have some JSPs to be unprotected - /error.jsp is one example.
Any suggestions are appreciated.
Thank you.
Pavel