Home/ Questions/Q 7604829
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T00:00:39+00:00

To understand the question I will explain the situation: main.jsp – the main window

  • 0

To understand the question I will explain the situation:
main.jsp – the main window of the application
jsp_seacurity.jsp – JSP file which send redirect in case user has no access to given page (I created separate file to reuse it in different pages)
noaccess.jsp – access denied page

In my main.jsp, one of the first lines is:

<jsp:include page="jsp_security.jsp?bo_item=main&bo_permission=view"/>

In jsp_security.jsp I do some checks and if the user doesn’t have permission for specific part of application I have the following code:

<jsp:forward page="noaccess.jsp"/>

After signing in with user without permission for main.jsp, I have noticed, Glassfish was showing exception in log file, which was occurring in some line of main.jsp which is after my jsp:include. I have checked jsp:include documentation and that was what I found

When the include action is finished, the JSP container continues
processing the remainder of the JSP file.

And now the question is, does it continue processing main.jsp even after I perform jsp:forward in jsp_security.jsp? Is there any workaround for this? I’m not pro in security, maybe what I’m doing is completely wrong?

Thanks for help,
Serhiy.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It does. What this line puts in the generated servlet file (a jsp is compiled to a servlet), is request.getRequestDispatcher("target.jsp").forward(req, resp).

    This does not mean the doGet() method returns – it will continue to execute.

    That’s why you should use a Filter to add security checks. If the condition is not met, you don’t call chain.doFilter() but redirect to a ‘forbidden’ page instead.

    • 0