<jsp:forward> bypasses Acegi?

**pearsons_11114** · Oct 22nd, 2004, 01:56 PM

I have simple test app. that secures a subdirectory. If I navigate to that directory directly in the browser, I'm redirected to login form as expected. However if I forward to a page in the secure directory from an unsecured page using <jsp:forward>, it displays the secured page without forcing a login. Is this the expected behavior? Thx.

**yanke** · Oct 25th, 2004, 06:08 AM

The same happens to me:

With <c:redirect url="/home.webx"/> in my index.jsp page, since home.webx requires authentication I'm redirected to login page.

with <jsp:forward page="/home.webx"/> it goes directly to the home page without authenticating.

for pearsons_11114..... try using the <c:redirect> tag

bye

**Ben Alex** · Oct 28th, 2004, 06:09 PM

Quoting http://java.sun.com/webservices/docs...ecurity4.html:

Security constraints only work on the original request URI, not on calls made via a RequestDispatcher (which include <jsp:include> and <jsp:forward>). Inside the application, it is assumed that the application itself has complete access to all resources and would not forward a user request unless it had decided that the requesting user had access also.

Quoting http://www.fawcette.com/javapro/2002...fault_pf.aspx:

... filters aren't executed when a RequestDispatcher is used.

Given the RequestDispatcher is used when you call jsp:forward, but the RequestDispatcher does not cause the filters to run, Acegi Security has no way of securing the request.

**Sergio** · Nov 5th, 2004, 01:52 AM

What do you think would be the best approach to control this forwarding issues?

Right now i think the best solution would be a tag that performs the forwarding since the other would force to configure the forwarded url in 2 places.

**Ben Alex** · Nov 5th, 2004, 06:39 PM

Sorry, I don't really follow your question. Acegi Security has no way of securing web requests caused by a <jsp:forward> because its filter is never executed. Of course, if the JSP calls another object secured by say MethodSecurityInterceptor it will be secured, but most people use FilterSecurityInterceptor to secure web requests.

I think it would be preferable if people use <c:redirect> alone, or bear in mind when using <jsp:forward> Acegi Security cannot enforce security via FilterSecurityInterceptor.

**mraible** · Dec 13th, 2004, 06:10 PM

If you're using a Servlet 2.4 container, you should be able to add the following after the url-pattern of your filter to trap forwards, as well as requests:

Code:

        <dispatcher>REQUEST</dispatcher>
        <dispatcher>FORWARD</dispatcher>

**Ben Alex** · Jun 26th, 2005, 10:58 PM

See http://opensource.atlassian.com/proj.../browse/SEC-14 and http://forum.springframework.org/showthread.php?t=15291.

Thread: <jsp:forward> bypasses Acegi?

Thread Tools

Display

Acegi forwarder or jsp:forward between allowed tag?

Posting Permissions