security constraints when using forward


Web tier: servlets, JSP, Web frameworks: security constraints when using forward

  1. security constraints when using forward (1 messages)


    I am designing a web app, in which I am trying to use container-managed security. I have specified security constraints for certain URL patterns, and they work correctly.

    However, if I forward a request in a JSP or a servlet to a secure resource, the security constraint is ignored, ie: even if I am not authenticated, I am allowed to view the secure resource. I am using Tomcat 4.0.1, and since this is the reference implementation for J2EE, I am concerned as to why this would be allowed?


  2. I assume that the security validation is done as part of the initial URL processing, and a local redirect does not go through that processing.