e.,
/secure/job-openings.html) without being authorized to do so. Because we are using
the RequestDispatcher.forward method, the originally requested URL is
shown in the browser??âĒs address bar (Figure 5??â10). If the SecurityHolePlugFilter
is enabled, it intercepts and converts the RequestDispatcher.forward call
into a direct client request using the response.sendRedirect method. This
invocation becomes no different than trying to directly invoke http://localhost/
filtersrus/secure/job-openings.html, therefore the server asks for username and
password to proceed (Figure 5??â11). If the user successfully logs in with a username
belonging to the executive role, the screen captured in Figure 5??â12 is shown.
Note that even though the originally requested URL was http://localhost/filtersrus/
SecurityHole, the filter forced the client to directly request the resource, thus changing
the requested URL to http://localhost/fi ltersrus/secure/job-openings.html.
Listing 5.27 shows the complete code for job-openings.html.
Listing 5.24 SecurityHolePlugFilter.java
package coreservlets.filters;
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
/** This filter converts any request that it is configured to
* intercept into a direct client request. This prevents
* developers from making a mistake by dynamically forwarding
* the client to a secure resource, bypassing the
* declarative security mechanism.
Pages:
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309