RE: Controlling Direct Access to jsp pages
Hi, Shouldn't this work for tomcat too ? I am trying to lock-down some JSP's using the same procedure with an empty auth-constraint. But http://localhost/x/y.jsp still shows the JSP. Thanks, Mohan -Original Message- From: Kris Schneider [mailto:[EMAIL PROTECTED]] Sent: Monday, January 13, 2003 11:55 PM To: Struts Users Mailing List Subject: RE: Controlling Direct Access to jsp pages Here's an approach that works with WebLogic 7. All the JSP's except index.jsp (the welcome page) are kept in a directory called pages. index.jsp simply contains: %@ taglib prefix=logic uri=http://jakarta.apache.org/struts/tags-logic; % logic:forward name=main/ Where main is the name of a global forward that represents the true entry point into the app. web.xml contains: security-constraint web-resource-collection web-resource-namePages/web-resource-name url-pattern/pages/*/url-pattern /web-resource-collection auth-constraint/auth-constraint /security-constraint An empty auth-constraint is interpreted to mean deny all access. Quoting Colquhoun, Adrian [EMAIL PROTECTED]: I have had a go at this - I get a 500 error message Cannot perform access control without an authenticated principal - presumably I need to do something else as well ? -Original Message- From: David Graham [mailto:[EMAIL PROTECTED]] Sent: 13 January 2003 15:54 To: [EMAIL PROTECTED] Subject: Re: Controlling Direct Access to jsp pages Put this security info at the bottom of your web.xml to prevent access to any *.jsp file: security-constraint web-resource-collection web-resource-nameSecureAllJSPs/web-resource-name url-pattern*.jsp/url-pattern /web-resource-collection auth-constraint role-namenobody/role-name /auth-constraint /security-constraint security-role descriptionNo one should be put in this role./description role-namenobody/role-name /security-role David From: Colquhoun, Adrian [EMAIL PROTECTED] Reply-To: Struts Users Mailing List [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: Controlling Direct Access to jsp pages Date: Mon, 13 Jan 2003 15:40:45 - Hi If I have three pages in my view layer that must be called in sequence e.g. - step1.jsp then - step2.jsp then - step3.jsp How do I ensure that my users do not call step2 and step3 directly via a web browser. Do I need to use a custom tag in pages 2 and 3 to check this or is there some way to force all requests for .jsp pages in my application to route via the ActionServlet Thanks Adrian === Information in this email and any attachments are confidential, and may not be copied or used by anyone other than the addressee, nor disclosed to any third party without our permission. There is no intention to create any legally binding contract or other commitment through the use of this email. Experian Limited (registration number 653331). Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE* http://join.msn.com/?page=features/virus -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] === Information in this email and any attachments are confidential, and may not be copied or used by anyone other than the addressee, nor disclosed to any third party without our permission. There is no intention to create any legally binding contract or other commitment through the use of this email. Experian Limited (registration number 653331). Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- Kris Schneider mailto:[EMAIL PROTECTED] D.O.Tech http://www.dotech.com/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Controlling Direct Access to jsp pages
Definitely yes. We are using this struts extension in all our major projects and I know of a couple of people who are using it, because I get some input and new ideas from them every now and then, which I very much appreciate. --- Matthias Colquhoun, Adrian wrote: Thanks Matthias This looks like it is exactly what I was looking for - I will have a go with this today. Do you still have this code under active development ? Regards Adrian -Original Message- From: Matthias Bauer [mailto:[EMAIL PROTECTED]] Sent: 14 January 2003 07:57 To: Struts Users Mailing List Subject: Re: Controlling Direct Access to jsp pages Adrian, I saw a lot of answers to your question regarding how to protect the jsp files. I think protecting direct access to the jsp files is only one thing. The other is, to force the execution of the associated actions in the right order, i. e. step3.do after step2.do and this one after step1.do. For this task you might want to check out the following: http://www.livinglogic.de/Struts/ This is a simple workflow framework incoporated into struts, that allows you to do exactly this via definitions in the struts config file. --- Matthias Colquhoun, Adrian wrote: Hi If I have three pages in my view layer that must be called in sequence e.g. - step1.jsp then - step2.jsp then - step3.jsp How do I ensure that my users do not call step2 and step3 directly via a web browser. Do I need to use a custom tag in pages 2 and 3 to check this or is there some way to force all requests for .jsp pages in my application to route via the ActionServlet Thanks Adrian === Information in this email and any attachments are confidential, and may not be copied or used by anyone other than the addressee, nor disclosed to any third party without our permission. There is no intention to create any legally binding contract or other commitment through the use of this email. Experian Limited (registration number 653331). Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] === Information in this email and any attachments are confidential, and may not be copied or used by anyone other than the addressee, nor disclosed to any third party without our permission. There is no intention to create any legally binding contract or other commitment through the use of this email. Experian Limited (registration number 653331). Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Controlling Direct Access to jsp pages
It should work, just differently. TC will return a 500 Configuration error: Cannot perform access control without an authenticated principal. Whereas WLS7 will return a 403 Forbidden. What does the security-constraint element in your web.xml look like? With TC, however, it's easier just to locate the pages somewhere under WEB-INF and forget about the security-constraint. Personally, I'd prefer to do it that way, it's just that my apps have to run under WLS7 when they get released. Quoting Mohan Radhakrishnan [EMAIL PROTECTED]: Hi, Shouldn't this work for tomcat too ? I am trying to lock-down some JSP's using the same procedure with an empty auth-constraint. But http://localhost/x/y.jsp still shows the JSP. Thanks, Mohan -Original Message- From: Kris Schneider [mailto:[EMAIL PROTECTED]] Sent: Monday, January 13, 2003 11:55 PM To: Struts Users Mailing List Subject: RE: Controlling Direct Access to jsp pages Here's an approach that works with WebLogic 7. All the JSP's except index.jsp (the welcome page) are kept in a directory called pages. index.jsp simply contains: %@ taglib prefix=logic uri=http://jakarta.apache.org/struts/tags-logic; % logic:forward name=main/ Where main is the name of a global forward that represents the true entry point into the app. web.xml contains: security-constraint web-resource-collection web-resource-namePages/web-resource-name url-pattern/pages/*/url-pattern /web-resource-collection auth-constraint/auth-constraint /security-constraint An empty auth-constraint is interpreted to mean deny all access. Quoting Colquhoun, Adrian [EMAIL PROTECTED]: I have had a go at this - I get a 500 error message Cannot perform access control without an authenticated principal - presumably I need to do something else as well ? -Original Message- From: David Graham [mailto:[EMAIL PROTECTED]] Sent: 13 January 2003 15:54 To: [EMAIL PROTECTED] Subject: Re: Controlling Direct Access to jsp pages Put this security info at the bottom of your web.xml to prevent access to any *.jsp file: security-constraint web-resource-collection web-resource-nameSecureAllJSPs/web-resource-name url-pattern*.jsp/url-pattern /web-resource-collection auth-constraint role-namenobody/role-name /auth-constraint /security-constraint security-role descriptionNo one should be put in this role./description role-namenobody/role-name /security-role David From: Colquhoun, Adrian [EMAIL PROTECTED] Reply-To: Struts Users Mailing List [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: Controlling Direct Access to jsp pages Date: Mon, 13 Jan 2003 15:40:45 - Hi If I have three pages in my view layer that must be called in sequence e.g. - step1.jsp then - step2.jsp then - step3.jsp How do I ensure that my users do not call step2 and step3 directly via a web browser. Do I need to use a custom tag in pages 2 and 3 to check this or is there some way to force all requests for .jsp pages in my application to route via the ActionServlet Thanks Adrian === Information in this email and any attachments are confidential, and may not be copied or used by anyone other than the addressee, nor disclosed to any third party without our permission. There is no intention to create any legally binding contract or other commitment through the use of this email. Experian Limited (registration number 653331). Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE* http://join.msn.com/?page=features/virus -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] === Information in this email and any attachments are confidential, and may not be copied or used by anyone other than the addressee, nor disclosed to any third party without our permission. There is no intention to create any legally binding contract or other commitment through the use of this email. Experian Limited (registration number 653331). Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- Kris Schneider mailto
RE: Controlling Direct Access to jsp pages
I place them all under /WEB-INF and force them to go through my action classes. There are other ways, but this is the most convenient for me. disclaimer Use at your own risk. Not all containers support doing it this way. /disclaimer -- James Mitchell -Original Message- From: Colquhoun, Adrian [mailto:[EMAIL PROTECTED]] Sent: Monday, January 13, 2003 10:41 AM To: '[EMAIL PROTECTED]' Subject: Controlling Direct Access to jsp pages Hi If I have three pages in my view layer that must be called in sequence e.g. - step1.jsp then - step2.jsp then - step3.jsp How do I ensure that my users do not call step2 and step3 directly via a web browser. Do I need to use a custom tag in pages 2 and 3 to check this or is there some way to force all requests for .jsp pages in my application to route via the ActionServlet Thanks Adrian == = Information in this email and any attachments are confidential, and may not be copied or used by anyone other than the addressee, nor disclosed to any third party without our permission. There is no intention to create any legally binding contract or other commitment through the use of this email. Experian Limited (registration number 653331). Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF -- To unsubscribe, e-mail: mailto:struts-user- [EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Controlling Direct Access to jsp pages
I've heard of this approach to protecting access to JSP pages but I've never been able to get it to work. How, exactly, do you route to a JSP in the /WEB-INF directory? Could you maybe provide a little of the struts-config.xml file that would do this or the code in the Action class that does this? Thanks. [EMAIL PROTECTED] 01/13/03 08:50AM I place them all under /WEB-INF and force them to go through my action classes. There are other ways, but this is the most convenient for me. disclaimer Use at your own risk. Not all containers support doing it this way. /disclaimer -- James Mitchell -Original Message- From: Colquhoun, Adrian [mailto:[EMAIL PROTECTED]] Sent: Monday, January 13, 2003 10:41 AM To: '[EMAIL PROTECTED]' Subject: Controlling Direct Access to jsp pages Hi If I have three pages in my view layer that must be called in sequence e.g. - step1.jsp then - step2.jsp then - step3.jsp How do I ensure that my users do not call step2 and step3 directly via a web browser. Do I need to use a custom tag in pages 2 and 3 to check this or is there some way to force all requests for .jsp pages in my application to route via the ActionServlet Thanks Adrian == = Information in this email and any attachments are confidential, and may not be copied or used by anyone other than the addressee, nor disclosed to any third party without our permission. There is no intention to create any legally binding contract or other commitment through the use of this email. Experian Limited (registration number 653331). Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF -- To unsubscribe, e-mail: mailto:struts-user- [EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Controlling Direct Access to jsp pages
Last time I check, Weblogic is the only server I know that does not support this feature. Do you know other containers not support this feature? Thanks -Original Message- From: James Mitchell [mailto:[EMAIL PROTECTED]] Sent: Monday, January 13, 2003 9:50 AM To: 'Struts Users Mailing List' Subject: RE: Controlling Direct Access to jsp pages I place them all under /WEB-INF and force them to go through my action classes. There are other ways, but this is the most convenient for me. disclaimer Use at your own risk. Not all containers support doing it this way. /disclaimer -- James Mitchell -Original Message- From: Colquhoun, Adrian [mailto:[EMAIL PROTECTED]] Sent: Monday, January 13, 2003 10:41 AM To: '[EMAIL PROTECTED]' Subject: Controlling Direct Access to jsp pages Hi If I have three pages in my view layer that must be called in sequence e.g. - step1.jsp then - step2.jsp then - step3.jsp How do I ensure that my users do not call step2 and step3 directly via a web browser. Do I need to use a custom tag in pages 2 and 3 to check this or is there some way to force all requests for .jsp pages in my application to route via the ActionServlet Thanks Adrian == = Information in this email and any attachments are confidential, and may not be copied or used by anyone other than the addressee, nor disclosed to any third party without our permission. There is no intention to create any legally binding contract or other commitment through the use of this email. Experian Limited (registration number 653331). Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF -- To unsubscribe, e-mail: mailto:struts-user- [EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] _ Introducing the all new and improved continental.com. With a totally new personalized design, it's the best place to go. Before you go. Continental Airlines. Work Hard. Fly Right. http://www.continental.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Controlling Direct Access to jsp pages
Put this security info at the bottom of your web.xml to prevent access to any *.jsp file: security-constraint web-resource-collection web-resource-nameSecureAllJSPs/web-resource-name url-pattern*.jsp/url-pattern /web-resource-collection auth-constraint role-namenobody/role-name /auth-constraint /security-constraint security-role descriptionNo one should be put in this role./description role-namenobody/role-name /security-role David From: Colquhoun, Adrian [EMAIL PROTECTED] Reply-To: Struts Users Mailing List [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: Controlling Direct Access to jsp pages Date: Mon, 13 Jan 2003 15:40:45 - Hi If I have three pages in my view layer that must be called in sequence e.g. - step1.jsp then - step2.jsp then - step3.jsp How do I ensure that my users do not call step2 and step3 directly via a web browser. Do I need to use a custom tag in pages 2 and 3 to check this or is there some way to force all requests for .jsp pages in my application to route via the ActionServlet Thanks Adrian === Information in this email and any attachments are confidential, and may not be copied or used by anyone other than the addressee, nor disclosed to any third party without our permission. There is no intention to create any legally binding contract or other commitment through the use of this email. Experian Limited (registration number 653331). Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE* http://join.msn.com/?page=features/virus -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Controlling Direct Access to jsp pages
Your technique is powerful but the problem is that it even prevented index.jsp from display as well. Is there ways to work around? -Original Message- From: David Graham [mailto:[EMAIL PROTECTED]] Sent: Monday, January 13, 2003 9:54 AM To: [EMAIL PROTECTED] Subject: Re: Controlling Direct Access to jsp pages Put this security info at the bottom of your web.xml to prevent access to any *.jsp file: security-constraint web-resource-collection web-resource-nameSecureAllJSPs/web-resource-name url-pattern*.jsp/url-pattern /web-resource-collection auth-constraint role-namenobody/role-name /auth-constraint /security-constraint security-role descriptionNo one should be put in this role./description role-namenobody/role-name /security-role David From: Colquhoun, Adrian [EMAIL PROTECTED] Reply-To: Struts Users Mailing List [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: Controlling Direct Access to jsp pages Date: Mon, 13 Jan 2003 15:40:45 - Hi If I have three pages in my view layer that must be called in sequence e.g. - step1.jsp then - step2.jsp then - step3.jsp How do I ensure that my users do not call step2 and step3 directly via a web browser. Do I need to use a custom tag in pages 2 and 3 to check this or is there some way to force all requests for .jsp pages in my application to route via the ActionServlet Thanks Adrian === Information in this email and any attachments are confidential, and may not be copied or used by anyone other than the addressee, nor disclosed to any third party without our permission. There is no intention to create any legally binding contract or other commitment through the use of this email. Experian Limited (registration number 653331). Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE* http://join.msn.com/?page=features/virus -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] _ Introducing the all new and improved continental.com. With a totally new personalized design, it's the best place to go. Before you go. Continental Airlines. Work Hard. Fly Right. http://www.continental.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Controlling Direct Access to jsp pages
IMO these are two bad solutions + Setting an attribute can be bypassed doing /page2.jsp?referer=true + I am almost sure HTTP headers can be modified easily, so using http referer header may be unsafe... See David Graham post in this thread to prevent access to any *.jsp file. Regards from Spain, Guido. On Mon, 13 Jan 2003 [EMAIL PROTECTED] wrote: } Yes, you can use the struts-config.xml, actions or forwards } but if you don't want struts to know about (!) you can check by setting and } contextual attribute : } page1: request.setAttribute(referer, true) } page 2: request.getAttribute(referer) = true ? } } or use the http headers : getHeader(referer); and check if the referer is } the right one. } } Hopefully it will help, } fabrice. } } -Original Message- } From: Colquhoun, Adrian [mailto:[EMAIL PROTECTED]] } Sent: lundi 13 janvier 2003 16:41 } To: [EMAIL PROTECTED] } Subject: Controlling Direct Access to jsp pages } } } } Hi } } If I have three pages in my view layer that must be called in sequence e.g. } } - step1.jsp then } - step2.jsp then } - step3.jsp } } How do I ensure that my users do not call step2 and step3 directly via a } web browser. Do I need to use a custom tag in pages 2 and 3 to check this } or is there some way to force all requests for .jsp pages in my application } to route via the ActionServlet } } Thanks } } Adrian } } } === } Information in this email and any attachments are confidential, and may } not be copied or used by anyone other than the addressee, nor disclosed } to any third party without our permission. There is no intention to } create any legally binding contract or other commitment through the use } of this email. } } Experian Limited (registration number 653331). } Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF } } -- } To unsubscribe, e-mail: } mailto:[EMAIL PROTECTED] } For additional commands, e-mail: } mailto:[EMAIL PROTECTED] } } -- } To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] } For additional commands, e-mail: mailto:[EMAIL PROTECTED] } Guido Garcia Bernardo [EMAIL PROTECTED] [EMAIL PROTECTED] stat rosa pristina nomine, nomina nuda tenemus. http://members.ud.com/services/teams/team.htm?id=D8624419-BFB6-4772-A01A-0045631F979F -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Controlling Direct Access to jsp pages
yes you're right, considering any security issue. I first wrongly understood the question, thinking the author wanted to bypass struts action: I read to fast ;) sorry for that spam ... fab' -Original Message- From: Guido [mailto:[EMAIL PROTECTED]] Sent: lundi 13 janvier 2003 17:44 To: Struts Users Mailing List Subject: RE: Controlling Direct Access to jsp pages IMO these are two bad solutions + Setting an attribute can be bypassed doing /page2.jsp?referer=true + I am almost sure HTTP headers can be modified easily, so using http referer header may be unsafe... See David Graham post in this thread to prevent access to any *.jsp file. Regards from Spain, Guido. On Mon, 13 Jan 2003 [EMAIL PROTECTED] wrote: } Yes, you can use the struts-config.xml, actions or forwards } but if you don't want struts to know about (!) you can check by setting and } contextual attribute : } page1: request.setAttribute(referer, true) } page 2: request.getAttribute(referer) = true ? } } or use the http headers : getHeader(referer); and check if the referer is } the right one. } } Hopefully it will help, } fabrice. } } -Original Message- } From: Colquhoun, Adrian [mailto:[EMAIL PROTECTED]] } Sent: lundi 13 janvier 2003 16:41 } To: [EMAIL PROTECTED] } Subject: Controlling Direct Access to jsp pages } } } } Hi } } If I have three pages in my view layer that must be called in sequence e.g. } } - step1.jsp then } - step2.jsp then } - step3.jsp } } How do I ensure that my users do not call step2 and step3 directly via a } web browser. Do I need to use a custom tag in pages 2 and 3 to check this } or is there some way to force all requests for .jsp pages in my application } to route via the ActionServlet } } Thanks } } Adrian } } } === } Information in this email and any attachments are confidential, and may } not be copied or used by anyone other than the addressee, nor disclosed } to any third party without our permission. There is no intention to } create any legally binding contract or other commitment through the use } of this email. } } Experian Limited (registration number 653331). } Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF } } -- } To unsubscribe, e-mail: } mailto:[EMAIL PROTECTED] } For additional commands, e-mail: } mailto:[EMAIL PROTECTED] } } -- } To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] } For additional commands, e-mail: mailto:[EMAIL PROTECTED] } Guido Garcia Bernardo [EMAIL PROTECTED] [EMAIL PROTECTED] stat rosa pristina nomine, nomina nuda tenemus. http://members.ud.com/services/teams/team.htm?id=D8624419-BFB6-4772-A01A-004 5631F979F -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Controlling Direct Access to jsp pages
I have had a go at this - I get a 500 error message Cannot perform access control without an authenticated principal - presumably I need to do something else as well ? -Original Message- From: David Graham [mailto:[EMAIL PROTECTED]] Sent: 13 January 2003 15:54 To: [EMAIL PROTECTED] Subject: Re: Controlling Direct Access to jsp pages Put this security info at the bottom of your web.xml to prevent access to any *.jsp file: security-constraint web-resource-collection web-resource-nameSecureAllJSPs/web-resource-name url-pattern*.jsp/url-pattern /web-resource-collection auth-constraint role-namenobody/role-name /auth-constraint /security-constraint security-role descriptionNo one should be put in this role./description role-namenobody/role-name /security-role David From: Colquhoun, Adrian [EMAIL PROTECTED] Reply-To: Struts Users Mailing List [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: Controlling Direct Access to jsp pages Date: Mon, 13 Jan 2003 15:40:45 - Hi If I have three pages in my view layer that must be called in sequence e.g. - step1.jsp then - step2.jsp then - step3.jsp How do I ensure that my users do not call step2 and step3 directly via a web browser. Do I need to use a custom tag in pages 2 and 3 to check this or is there some way to force all requests for .jsp pages in my application to route via the ActionServlet Thanks Adrian === Information in this email and any attachments are confidential, and may not be copied or used by anyone other than the addressee, nor disclosed to any third party without our permission. There is no intention to create any legally binding contract or other commitment through the use of this email. Experian Limited (registration number 653331). Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE* http://join.msn.com/?page=features/virus -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] === Information in this email and any attachments are confidential, and may not be copied or used by anyone other than the addressee, nor disclosed to any third party without our permission. There is no intention to create any legally binding contract or other commitment through the use of this email. Experian Limited (registration number 653331). Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Controlling Direct Access to jsp pages
Here's an approach that works with WebLogic 7. All the JSP's except index.jsp (the welcome page) are kept in a directory called pages. index.jsp simply contains: %@ taglib prefix=logic uri=http://jakarta.apache.org/struts/tags-logic; % logic:forward name=main/ Where main is the name of a global forward that represents the true entry point into the app. web.xml contains: security-constraint web-resource-collection web-resource-namePages/web-resource-name url-pattern/pages/*/url-pattern /web-resource-collection auth-constraint/auth-constraint /security-constraint An empty auth-constraint is interpreted to mean deny all access. Quoting Colquhoun, Adrian [EMAIL PROTECTED]: I have had a go at this - I get a 500 error message Cannot perform access control without an authenticated principal - presumably I need to do something else as well ? -Original Message- From: David Graham [mailto:[EMAIL PROTECTED]] Sent: 13 January 2003 15:54 To: [EMAIL PROTECTED] Subject: Re: Controlling Direct Access to jsp pages Put this security info at the bottom of your web.xml to prevent access to any *.jsp file: security-constraint web-resource-collection web-resource-nameSecureAllJSPs/web-resource-name url-pattern*.jsp/url-pattern /web-resource-collection auth-constraint role-namenobody/role-name /auth-constraint /security-constraint security-role descriptionNo one should be put in this role./description role-namenobody/role-name /security-role David From: Colquhoun, Adrian [EMAIL PROTECTED] Reply-To: Struts Users Mailing List [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: Controlling Direct Access to jsp pages Date: Mon, 13 Jan 2003 15:40:45 - Hi If I have three pages in my view layer that must be called in sequence e.g. - step1.jsp then - step2.jsp then - step3.jsp How do I ensure that my users do not call step2 and step3 directly via a web browser. Do I need to use a custom tag in pages 2 and 3 to check this or is there some way to force all requests for .jsp pages in my application to route via the ActionServlet Thanks Adrian === Information in this email and any attachments are confidential, and may not be copied or used by anyone other than the addressee, nor disclosed to any third party without our permission. There is no intention to create any legally binding contract or other commitment through the use of this email. Experian Limited (registration number 653331). Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE* http://join.msn.com/?page=features/virus -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] === Information in this email and any attachments are confidential, and may not be copied or used by anyone other than the addressee, nor disclosed to any third party without our permission. There is no intention to create any legally binding contract or other commitment through the use of this email. Experian Limited (registration number 653331). Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- Kris Schneider mailto:[EMAIL PROTECTED] D.O.Tech http://www.dotech.com/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Controlling Direct Access to jsp pages
I have got this to work under tomcat 4.1 - I modified my struts config file as follows actionpath=/register/step1 type=com.id_crm.webapp.action.NameAddressAction name=NameAddressForm scope=session validate=true input=/register/step1.jsp !--forward name=success path=/register/step2.jsp/ -- !-- step2.jsp is now in the WEB-INF directory and cannot be accessed directly -- forward name=success path=/WEB-INF/step2.jsp/ /action -Original Message- From: Cory Newey [mailto:[EMAIL PROTECTED]] Sent: 13 January 2003 15:57 To: [EMAIL PROTECTED] Subject: RE: Controlling Direct Access to jsp pages I've heard of this approach to protecting access to JSP pages but I've never been able to get it to work. How, exactly, do you route to a JSP in the /WEB-INF directory? Could you maybe provide a little of the struts-config.xml file that would do this or the code in the Action class that does this? Thanks. [EMAIL PROTECTED] 01/13/03 08:50AM I place them all under /WEB-INF and force them to go through my action classes. There are other ways, but this is the most convenient for me. disclaimer Use at your own risk. Not all containers support doing it this way. /disclaimer -- James Mitchell -Original Message- From: Colquhoun, Adrian [mailto:[EMAIL PROTECTED]] Sent: Monday, January 13, 2003 10:41 AM To: '[EMAIL PROTECTED]' Subject: Controlling Direct Access to jsp pages Hi If I have three pages in my view layer that must be called in sequence e.g. - step1.jsp then - step2.jsp then - step3.jsp How do I ensure that my users do not call step2 and step3 directly via a web browser. Do I need to use a custom tag in pages 2 and 3 to check this or is there some way to force all requests for .jsp pages in my application to route via the ActionServlet Thanks Adrian == = Information in this email and any attachments are confidential, and may not be copied or used by anyone other than the addressee, nor disclosed to any third party without our permission. There is no intention to create any legally binding contract or other commitment through the use of this email. Experian Limited (registration number 653331). Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF -- To unsubscribe, e-mail: mailto:struts-user- [EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Controlling Direct Access to jsp pages
Instead of url-pattern/pages/*/url-pattern can I have something like the following? security-constraint web-resource-collection web-resource-namePages/web-resource-name url-pattern/app1/*/url-pattern url-pattern/app2/*/url-pattern url-pattern/app3/*/url-pattern url-pattern/app4/*/url-pattern /web-resource-collection auth-constraint/auth-constraint /security-constraint -Original Message- From: Kris Schneider [mailto:[EMAIL PROTECTED]] Sent: Monday, January 13, 2003 12:25 PM To: Struts Users Mailing List Subject: RE: Controlling Direct Access to jsp pages Here's an approach that works with WebLogic 7. All the JSP's except index.jsp (the welcome page) are kept in a directory called pages. index.jsp simply contains: %@ taglib prefix=logic uri=http://jakarta.apache.org/struts/tags-logic; % logic:forward name=main/ Where main is the name of a global forward that represents the true entry point into the app. web.xml contains: security-constraint web-resource-collection web-resource-namePages/web-resource-name url-pattern/pages/*/url-pattern /web-resource-collection auth-constraint/auth-constraint /security-constraint An empty auth-constraint is interpreted to mean deny all access. Quoting Colquhoun, Adrian [EMAIL PROTECTED]: I have had a go at this - I get a 500 error message Cannot perform access control without an authenticated principal - presumably I need to do something else as well ? -Original Message- From: David Graham [mailto:[EMAIL PROTECTED]] Sent: 13 January 2003 15:54 To: [EMAIL PROTECTED] Subject: Re: Controlling Direct Access to jsp pages Put this security info at the bottom of your web.xml to prevent access to any *.jsp file: security-constraint web-resource-collection web-resource-nameSecureAllJSPs/web-resource-name url-pattern*.jsp/url-pattern /web-resource-collection auth-constraint role-namenobody/role-name /auth-constraint /security-constraint security-role descriptionNo one should be put in this role./description role-namenobody/role-name /security-role David From: Colquhoun, Adrian [EMAIL PROTECTED] Reply-To: Struts Users Mailing List [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: Controlling Direct Access to jsp pages Date: Mon, 13 Jan 2003 15:40:45 - Hi If I have three pages in my view layer that must be called in sequence e.g. - step1.jsp then - step2.jsp then - step3.jsp How do I ensure that my users do not call step2 and step3 directly via a web browser. Do I need to use a custom tag in pages 2 and 3 to check this or is there some way to force all requests for .jsp pages in my application to route via the ActionServlet Thanks Adrian === Information in this email and any attachments are confidential, and may not be copied or used by anyone other than the addressee, nor disclosed to any third party without our permission. There is no intention to create any legally binding contract or other commitment through the use of this email. Experian Limited (registration number 653331). Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE* http://join.msn.com/?page=features/virus -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] === Information in this email and any attachments are confidential, and may not be copied or used by anyone other than the addressee, nor disclosed to any third party without our permission. There is no intention to create any legally binding contract or other commitment through the use of this email. Experian Limited (registration number 653331). Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- Kris Schneider mailto:[EMAIL PROTECTED] D.O.Tech http://www.dotech.com/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] _ Introducing the all new and improved continental.com. With a totally new personalized design, it's the best place to go. Before you go. Continental Airlines. Work Hard. Fly Right. http://www.continental.com
RE: Controlling Direct Access to jsp pages
Here's the definition of the web-resource-collection element: !ELEMENT web-resource-collection (web-resource-name, description?, url-pattern*, http-method*) So, yes, it looks like that would be fine. Just to be sure it's clear, assuming your app context is myapp, your example would restrict access to something like the following URL's: http://www.myhost.com/myapp/app1/* http://www.myhost.com/myapp/app2/* http://www.myhost.com/myapp/app3/* http://www.myhost.com/myapp/app4/* Quoting Hoang, Hai [EMAIL PROTECTED]: Instead of url-pattern/pages/*/url-pattern can I have something like the following? security-constraint web-resource-collection web-resource-namePages/web-resource-name url-pattern/app1/*/url-pattern url-pattern/app2/*/url-pattern url-pattern/app3/*/url-pattern url-pattern/app4/*/url-pattern /web-resource-collection auth-constraint/auth-constraint /security-constraint -Original Message- From: Kris Schneider [mailto:[EMAIL PROTECTED]] Sent: Monday, January 13, 2003 12:25 PM To: Struts Users Mailing List Subject: RE: Controlling Direct Access to jsp pages Here's an approach that works with WebLogic 7. All the JSP's except index.jsp (the welcome page) are kept in a directory called pages. index.jsp simply contains: %@ taglib prefix=logic uri=http://jakarta.apache.org/struts/tags-logic; % logic:forward name=main/ Where main is the name of a global forward that represents the true entry point into the app. web.xml contains: security-constraint web-resource-collection web-resource-namePages/web-resource-name url-pattern/pages/*/url-pattern /web-resource-collection auth-constraint/auth-constraint /security-constraint An empty auth-constraint is interpreted to mean deny all access. Quoting Colquhoun, Adrian [EMAIL PROTECTED]: I have had a go at this - I get a 500 error message Cannot perform access control without an authenticated principal - presumably I need to do something else as well ? -Original Message- From: David Graham [mailto:[EMAIL PROTECTED]] Sent: 13 January 2003 15:54 To: [EMAIL PROTECTED] Subject: Re: Controlling Direct Access to jsp pages Put this security info at the bottom of your web.xml to prevent access to any *.jsp file: security-constraint web-resource-collection web-resource-nameSecureAllJSPs/web-resource-name url-pattern*.jsp/url-pattern /web-resource-collection auth-constraint role-namenobody/role-name /auth-constraint /security-constraint security-role descriptionNo one should be put in this role./description role-namenobody/role-name /security-role David From: Colquhoun, Adrian [EMAIL PROTECTED] Reply-To: Struts Users Mailing List [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: Controlling Direct Access to jsp pages Date: Mon, 13 Jan 2003 15:40:45 - Hi If I have three pages in my view layer that must be called in sequence e.g. - step1.jsp then - step2.jsp then - step3.jsp How do I ensure that my users do not call step2 and step3 directly via a web browser. Do I need to use a custom tag in pages 2 and 3 to check this or is there some way to force all requests for .jsp pages in my application to route via the ActionServlet Thanks Adrian === Information in this email and any attachments are confidential, and may not be copied or used by anyone other than the addressee, nor disclosed to any third party without our permission. There is no intention to create any legally binding contract or other commitment through the use of this email. Experian Limited (registration number 653331). Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE* http://join.msn.com/?page=features/virus -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] === Information in this email and any attachments are confidential, and may not be copied or used by anyone other than the addressee, nor disclosed to any third party without our permission. There is no intention to create any legally binding contract or other commitment through the use of this email. Experian Limited (registration number 653331). Registered office: Talbot House
Re: Controlling Direct Access to jsp pages
Adrian, I saw a lot of answers to your question regarding how to protect the jsp files. I think protecting direct access to the jsp files is only one thing. The other is, to force the execution of the associated actions in the right order, i. e. step3.do after step2.do and this one after step1.do. For this task you might want to check out the following: http://www.livinglogic.de/Struts/ This is a simple workflow framework incoporated into struts, that allows you to do exactly this via definitions in the struts config file. --- Matthias Colquhoun, Adrian wrote: Hi If I have three pages in my view layer that must be called in sequence e.g. - step1.jsp then - step2.jsp then - step3.jsp How do I ensure that my users do not call step2 and step3 directly via a web browser. Do I need to use a custom tag in pages 2 and 3 to check this or is there some way to force all requests for .jsp pages in my application to route via the ActionServlet Thanks Adrian === Information in this email and any attachments are confidential, and may not be copied or used by anyone other than the addressee, nor disclosed to any third party without our permission. There is no intention to create any legally binding contract or other commitment through the use of this email. Experian Limited (registration number 653331). Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]