This is something I just noticed, don't know if it is 'ToSpeck', a Jetty bug or a gap in the spec...
We are using struts to intercept every page request to both static and dynamic resources. I secure the URL pattern /admin/* so that only users of admin role can access the .JSPs here... But our struts implementation uses forward mappings to Forward (not redirect) the requests to the destination resource.
So if the original URL, (pre-forward, the one that shows in the surfers browser) is not specifying a resource under the /admin/* path, then the server serves the .JSPs from the admin folder without invoking a security check.
So: if a jsp Forwards a request to a .jsp in a secure realm, and if the initial jsp is not in a secure realm there will be no security check...
Is this the correct behaviour?
Yes this is as Servlet Specification , bit of a flaw if you ask me...
"The security model applies to the static content part of the web application and to servlets within the application that are requested by the client. The security model does not apply when a servlet uses the RequestDispatcher to invoke a static resource or servlet using a forward or an include."