Malika,
I am sorry Frits, I still don't understand how to respond to this question. What I see is that we have a "manager" user that tries to access /jsp/protected.jsp
I still don't see what Forwarding or including have to do with this.
It seems Ankit and my response didn't solve your question. Let me try to explain it in another way.
There is a security constraint defined on
/jsp/protected.jsp, so if we try to access it like (assume MyWebApp is the context root of your webapp):
http://localhost:8080/MyWebApp/jsp/protected.jsp the server will check the last part of the URL
/jsp/protected.jsp against all the security constraints defined in the web.xml. It will find a constraint and only allow managers to access it.
There is
no security constraint defined on
/jsp/unprotected.jsp, so if we access it like
http://localhost:8080/MyWebApp/jsp/unprotected.jsp the server will check
/jsp/unprotected.jsp against all the security constraints defined in the web.xml and won't find any. Hence it will allow the request to be delivered at the jsp.
The server will
not check any content of the jsp or Servlet, meaning that if that jsp includes or forwards to another jsp (or the Servlet does a forward to or include of another Servlet) it won't be taken into account.
See also the spec:
SRV.12.2 Declarative Security
The security model applies to the static content part of the web application
and to servlets and filters within the application that are requested by the client.
The security model does not apply when a servlet uses the RequestDispatcher to
invoke a static resource or servlet using a forward or an include.
Does this make things clearer?
Regards,
Frits