• Post Reply Bookmark Topic Watch Topic
  • New Topic

security model in include/forward  RSS feed

 
Yan Zhou
Ranch Hand
Posts: 137
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi there,

I read somewhere says that:

The security model doesn't apply when a servlet uses a RequestDispathcer to include or forward a resource

I am not sure what it means exactly. Say servlet A and B specify what roles can access them and they are different. servlet A calls include and forward on servlet B, I doubt the request can go through servlet B.

Thanks.
Yan
 
Paul Bourdeaux
Ranch Hand
Posts: 783
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Assuming you are talking about container manager security, you are correct (kinda). The declarative security module only applies to external requests. A RequestDispatcher uses an internal request.

This can actually be quite useful... You can define a security constraint with an empty <auth-constraint/> element in it. This way no outside request can access the resource, but a RequestDispatcher still can!
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!