I, have found that Tomcat only checks the <security-constraint> if the request comes from the client. Let me exemplify: - I have in the root of a webapp a jsp [lets name it index.jsp] that forward requests to a protected resource named protected/myProtectedResource.do [or a servlet, that will forward requests using
request.getRequestDispatcher("/protected/myProtectedResource.do").forward(request,response) ]

I have defined in the web.xml a security-constraint that protects only the sub directory protected, so everything in the root is not protected: <security-constraint> <display-name>Security Constraint</display-name> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/protected/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>manager</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint>

I have defined also a login in the web.xml: <login-config> <auth-method>FORM</auth-method> <realm-name>Sample Application</realm-name> <form-login-config> <form-login-page>/login/login.jsp</form-login-page> <form-error-page>/login/error.jsp</form-error-page> </form-login-config> </login-config>

Situations that happen 1- If the users types in the browser the url index.jsp, he sees the content of the protected resource. 2- If the users types in the browser the url of the protected protected resource, if not authenticated, credentials are asked.

Situation 2 is clear, but situation 1 is not clear. Is that in terms of the servlet specification correct? I have seen other web container implementing this (for situation 1) in another way; they force always authentication for protected resources.

-- Bruno Antunes, Java Software Engineer

email: mailto:brun...@whateversoft.com Phone: +351.21.7994200 Fax : +351.21.7994242

WhatEverSoft - Java Center Centro de Competencia Java Praca de Alvalade, 6 - Piso 4 1700-036 Lisboa - Portugal URL: http://www.whatevernet.com