[OWASP-ESAPI] SecurityRequestWrapper

Chris Schmidt chrisisbeef at gmail.com
Thu Dec 3 10:49:04 EST 2009

I can see a lot of situations where this makes sense, but what to do if you
need to do a server side forward to someplace that is publicly accessable? I
know in our codebase at work, we very frequently need to do this, and a 301
is not acceptable for SEO reasons? It seems like at minimum, this behavior
should be configurable. Perhaps a configuration option for the
SecurityWrapper so that multiple filters could be setup which have different


On Thu, Dec 3, 2009 at 4:07 AM, Jeff Williams <jeff.williams at owasp.org>wrote:

> This is intended to make sure that developers put resources inside web-inf
> where they can't be force browsed to.
> --Jeff
> On Dec 3, 2009, at 1:46 AM, Chris Schmidt <chrisisbeef at gmail.com> wrote:
>  Is there a good reason that the getRequestDispatcher method in this
>> wrapper requires the path to begin with WEB-INF?
>> In my experience, this seems completely counter intuitive and actually
>> the opposite of what I would envision the overriden method to do.
>> I think this should instead be checking for traversal issues and
>> making sure the requested path does NOT start with WEB-INF but maybe I
>> am missing something?
>> Sent from my iPwn
>> _______________________________________________
>> OWASP-ESAPI mailing list
>> OWASP-ESAPI at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-esapi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20091203/6b92cc70/attachment-0001.html 

More information about the OWASP-ESAPI mailing list