jsp:forward in jsp:include doesn't prevent the original page to finish processing?

Question

To understand the question I will explain the situation:
main.jsp - the main window of the application
jsp_seacurity.jsp - JSP file which send redirect in case user has no access to given page (I created separate file to reuse it in different pages)
noaccess.jsp - access denied page

In my main.jsp, one of the first lines is:

<jsp:include page="jsp_security.jsp?bo_item=main&bo_permission=view"/>

In jsp_security.jsp I do some checks and if the user doesn't have permission for specific part of application I have the following code:

<jsp:forward page="noaccess.jsp"/>

After signing in with user without permission for main.jsp, I have noticed, Glassfish was showing exception in log file, which was occurring in some line of main.jsp which is after my jsp:include. I have checked jsp:include documentation and that was what I found

When the include action is finished, the JSP container continues processing the remainder of the JSP file.

And now the question is, does it continue processing main.jsp even after I perform jsp:forward in jsp_security.jsp? Is there any workaround for this? I'm not pro in security, maybe what I'm doing is completely wrong?

Thanks for help,
Serhiy.

Answer 1

It does. What this line puts in the generated servlet file (a jsp is compiled to a servlet), is request.getRequestDispatcher("target.jsp").forward(req, resp).

This does not mean the doGet() method returns - it will continue to execute.

That's why you should use a Filter to add security checks. If the condition is not met, you don't call chain.doFilter() but redirect to a 'forbidden' page instead.