Re: [Stripes-users] Direct access to .jsp, no security manager (stripesstuff security)
Easiest thing to do is move your jsp files into the WEB-INF folder, which is not allowed to be requested directly per the servlet spec. That's a normal best practice kind of thing. Jsps should be protected just like the compiled .class and .jar files (siblings) -Original Message- From: T Akhayo [mailto:t.akh...@gmail.com] Sent: Tuesday, July 12, 2011 4:35 PM To: stripes-users@lists.sourceforge.net Subject: [Stripes-users] Direct access to .jsp, no security manager (stripesstuff security) Good evening, I'm currently using the security interceptor from stripesstuff. It works like a charm. There is only one problem, when i access my .jsp pages directly (surf to .jsp page) the "allowed" jsp tag always grant access. When i go to a .action page (which forwards to the .jsp) everything works fine. I turned debugging on and found out that when going directly to a .jsp page the security interceptor doesn't insert the security manager in the current request. When using the "allowed" tag the debug message is: "there is no security manager; allowing access" Is there a way i can manually insert the security manager? Please note that i am using my own j2eesecuritymanager. Kind regards, T. Akhayo stripes-users@lists.sourceforge.net -- AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on "Lean Startup Secrets Revealed." This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev ___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users -- AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on "Lean Startup Secrets Revealed." This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev ___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
Re: [Stripes-users] Direct access to .jsp, no security manager (stripesstuff security)
Hi, Why don't you use actionBean for that jsp, just create empty action bean and you'll not have any problems:) 2011/7/13 T Akhayo > Good evening, > > I'm currently using the security interceptor from stripesstuff. It > works like a charm. > > There is only one problem, when i access my .jsp pages directly (surf > to .jsp page) the "allowed" jsp tag always grant access. > > When i go to a .action page (which forwards to the .jsp) everything works > fine. > > I turned debugging on and found out that when going directly to a .jsp > page the security interceptor doesn't insert the security manager in > the current request. When using the "allowed" tag the debug message > is: > "there is no security manager; allowing access" > > Is there a way i can manually insert the security manager? > > Please note that i am using my own j2eesecuritymanager. > > Kind regards, > T. Akhayo > > > stripes-users@lists.sourceforge.net > > > -- > AppSumo Presents a FREE Video for the SourceForge Community by Eric > Ries, the creator of the Lean Startup Methodology on "Lean Startup > Secrets Revealed." This video shows you how to validate your ideas, > optimize your ideas and identify your business strategy. > http://p.sf.net/sfu/appsumosfdev2dev > ___ > Stripes-users mailing list > Stripes-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/stripes-users > -- AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on "Lean Startup Secrets Revealed." This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
Re: [Stripes-users] Direct access to .jsp, no security manager (stripesstuff security)
You should prohibit direct access to your jsp. This can be done by moving your jsps under WEB-INF or declare a security constraint in web.xml. Regards Jocke. From: alexk...@gmail.com Date: Wed, 13 Jul 2011 09:40:37 +0600a To: stripes-users@lists.sourceforge.net Subject: Re: [Stripes-users] Direct access to .jsp, no security manager (stripesstuff security) Hi,Why don't you use actionBean for that jsp, just create empty action bean and you'll not have any problems:) 2011/7/13 T Akhayo Good evening, I'm currently using the security interceptor from stripesstuff. It works like a charm. There is only one problem, when i access my .jsp pages directly (surf to .jsp page) the "allowed" jsp tag always grant access. When i go to a .action page (which forwards to the .jsp) everything works fine. I turned debugging on and found out that when going directly to a .jsp page the security interceptor doesn't insert the security manager in the current request. When using the "allowed" tag the debug message is: "there is no security manager; allowing access" Is there a way i can manually insert the security manager? Please note that i am using my own j2eesecuritymanager. Kind regards, T. Akhayo stripes-users@lists.sourceforge.net -- AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on "Lean Startup Secrets Revealed." This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev ___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users -- AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on "Lean Startup Secrets Revealed." This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev ___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users -- AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on "Lean Startup Secrets Revealed." This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
