I am reworking the authentication infrastructure for medium sized
J2EE application. And I have been writing a simple war to
test some strategies.
My test war uses a simplified
servlet controller ala Pet Store. In effort to protect some 'stuff' from being 'called' directily w/o going thru a controller, I installed a security contraint on a URL
pattern and its role is set to 'nobody' - which is not a role in our security realm (LDAP).
Now the proteced URL contains JSPs that are forwared to by the controller, (which is protected but by a different constraint - that does have defined roles in our realm).
Tomcat (4.0.2) has no problem allowing the controller to do a RequestDispatcher.forward() to a
JSP in the protected URL pattern. iAS 6sp3 (Solaris) generates a 'not authorized' error when attempting to forward to a protected URL.
I guess I am thinking maybe iAS has it right: wether I went to the URL directly or thru a forward - the current login doesn't have privs to access the URL.
Who is correct? Also, a co-worker has run a similar test on Weblogic 6 and it appears to behave like Tomcat.
The ultimate objective is to protect the JSPs from direct calls. What might be another strategy? Put them under WEB-INF? Where would one forward to in this setup? Oh, we are likely to bail on iAS soon, and go to Weblogic, so a XAppServer solution is highly desireable.