Announcement Announcement Module
Collapse
No announcement yet.
<jsp:forward> bypasses Acegi? Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • <jsp:forward> bypasses Acegi?

    I have simple test app. that secures a subdirectory. If I navigate to that directory directly in the browser, I'm redirected to login form as expected. However if I forward to a page in the secure directory from an unsecured page using <jsp:forward>, it displays the secured page without forcing a login. Is this the expected behavior? Thx.

  • #2
    The same happens to me:

    With <c:redirect url="/home.webx"/> in my index.jsp page, since home.webx requires authentication I'm redirected to login page.

    with <jsp:forward page="/home.webx"/> it goes directly to the home page without authenticating.

    for pearsons_11114..... try using the <c:redirect> tag

    bye

    Comment


    • #3
      Quoting http://java.sun.com/webservices/docs...ecurity4.html:

      Security constraints only work on the original request URI, not on calls made via a RequestDispatcher (which include <jsp:include> and <jsp:forward>). Inside the application, it is assumed that the application itself has complete access to all resources and would not forward a user request unless it had decided that the requesting user had access also.
      Quoting http://www.fawcette.com/javapro/2002...fault_pf.aspx:

      ... filters aren't executed when a RequestDispatcher is used.
      Given the RequestDispatcher is used when you call jsp:forward, but the RequestDispatcher does not cause the filters to run, Acegi Security has no way of securing the request.

      Comment


      • #4
        Acegi forwarder or jsp:forward between allowed tag?

        What do you think would be the best approach to control this forwarding issues?

        Right now i think the best solution would be a tag that performs the forwarding since the other would force to configure the forwarded url in 2 places.

        Comment


        • #5
          Sorry, I don't really follow your question. Acegi Security has no way of securing web requests caused by a <jsp:forward> because its filter is never executed. Of course, if the JSP calls another object secured by say MethodSecurityInterceptor it will be secured, but most people use FilterSecurityInterceptor to secure web requests.

          I think it would be preferable if people use <c:redirect> alone, or bear in mind when using <jsp:forward> Acegi Security cannot enforce security via FilterSecurityInterceptor.

          Comment


          • #6
            If you're using a Servlet 2.4 container, you should be able to add the following after the url-pattern of your filter to trap forwards, as well as requests:

            Code:
                    <dispatcher>REQUEST</dispatcher>
                    <dispatcher>FORWARD</dispatcher>

            Comment


            • #7
              See http://opensource.atlassian.com/proj.../browse/SEC-14 and http://forum.springframework.org/showthread.php?t=15291.
              Last edited by robyn; May 16th, 2006, 03:33 AM.

              Comment

              Working...
              X