Tomcat 4.1 container authentication on jsp:forward

P

Pavel

Greetings to all -

I've got a problem with Tomcat 4.1.30 container authentication. I'm
using BASIC authentication and overall it works fine. But I've noticed
that I can access a protected resource via jsp:forward.

Here is my security-constraint:
<security-constraint>
<web-resource-collection>
<url-pattern>*.do</url-pattern>
<url-pattern>/tiles/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>SuperUser</role-name>
</auth-constraint>
</security-constraint>

So /index.jsp is not there but all it does is a forward to the
protected resource: <jsp:forward page="/myAction.do"/>

I know weblogic takes care of it via
<container-descriptor>
<check-auth-on-forward/>
</container-descriptor>
in weblogic.xml.

Is there a similar solution to this in Tomcat 1.4 besides adding
<url-pattern>/index.jsp</url-pattern> to
web-resource-collection?

I do not want to add <url-pattern>*.jsp</url-pattern> since I'd like
to have some JSPs to be unprotected - /error.jsp is one example.

Any suggestions are appreciated.
Thank you.
Pavel
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,901
Latest member
Noble71S45

Latest Threads

Top