Preventing users getting accessing to directory contents in Tomcat
Under tomcat 4 my jsps are held in a subdiir called jsp which contains further subdirectories What do I put into web.xml to stop requests such as http//localhost:8080/myapp/jsp or http//localhost:8080/myapp/jsp/info listing the contents of the directory. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Preventing users getting accessing to directory contents in Tomcat
Hi, Add a listings parameter to the DefaultServlet in conf/web.xml with a param-value of false. IIRC. Yoav Shapira http://www.yoavshapira.com >-Original Message- >From: Paul Taylor [mailto:[EMAIL PROTECTED] >Sent: Tuesday, November 09, 2004 7:00 AM >To: Tomcat Users List >Subject: Preventing users getting accessing to directory contents in Tomcat > >Under tomcat 4 my jsps are held in a subdiir called jsp which contains >further subdirectories >What do I put into web.xml to stop requests such as >http//localhost:8080/myapp/jsp or http//localhost:8080/myapp/jsp/info >listing the contents of the directory. > > >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Preventing users getting accessing to directory contents in Tomcat
Thanks works a treat Is there a similar way to prevent the user typing in the url of a partciuar jsp or image and stop them being taken it. Ive looked at security-constraints but this seems to be based on only certain/logged in users gaining access. I have no concept of logged users in my application but I only want them to access pages via the interface rather than the url except for a few pages which they can access via url to allow them to bookmark them. Shapira, Yoav wrote: Hi, Add a listings parameter to the DefaultServlet in conf/web.xml with a param-value of false. IIRC. Yoav Shapira http://www.yoavshapira.com -Original Message- From: Paul Taylor [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 09, 2004 7:00 AM To: Tomcat Users List Subject: Preventing users getting accessing to directory contents in Tomcat Under tomcat 4 my jsps are held in a subdiir called jsp which contains further subdirectories What do I put into web.xml to stop requests such as http//localhost:8080/myapp/jsp or http//localhost:8080/myapp/jsp/info listing the contents of the directory. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Preventing users getting accessing to directory contents in Tomcat
You can't prevent images from being taken. As for JSP's. Move them to your WEB-INF directory. Then use a servlet to validate the incoming parameters and then forward to the JSP. -Tim Paul Taylor wrote: Thanks works a treat Is there a similar way to prevent the user typing in the url of a partciuar jsp or image and stop them being taken it. Ive looked at security-constraints but this seems to be based on only certain/logged in users gaining access. I have no concept of logged users in my application but I only want them to access pages via the interface rather than the url except for a few pages which they can access via url to allow them to bookmark them. Shapira, Yoav wrote: Hi, Add a listings parameter to the DefaultServlet in conf/web.xml with a param-value of false. IIRC. Yoav Shapira http://www.yoavshapira.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Preventing users getting accessing to directory contents in Tomcat
Point taken regarding images. But is this the only way to protect jsp ? I have a directory structure as follows /jsp/feedback/start.jsp /jsp/feedback/finish.jsp I want them to be able to bookmark start.jsp and access it either through the interface or directly from the url. but I dont want them to access finish.jsp directly because it doesnt make any sense as it is is only shown after processing start.jsp. From what your saying I would have to either do /WEB-INF/feedback/start.jsp /WEB-INF/feedback/finish.jsp which would mean they couldnt bookmark anything or do /jsp/feedback/start.jsp /WEB-INF/feedback/finish.jsp which screws up my links and stuff, meaning quite alot of rework and stuff over the whole site. On a similar note, some of my jsps calls a servlet. In my web.xml it is defined and url mapped as follows Controller com.myapp.Controller 0 Controller /controller My jsp would then call to call the servlet the trouble is the user can type directly into the url localhost:8080/myapp/controller and call the servlet ot of context how do I stop that ? Tim Funk wrote: You can't prevent images from being taken. As for JSP's. Move them to your WEB-INF directory. Then use a servlet to validate the incoming parameters and then forward to the JSP. -Tim Paul Taylor wrote: Thanks works a treat Is there a similar way to prevent the user typing in the url of a partciuar jsp or image and stop them being taken it. Ive looked at security-constraints but this seems to be based on only certain/logged in users gaining access. I have no concept of logged users in my application but I only want them to access pages via the interface rather than the url except for a few pages which they can access via url to allow them to bookmark them. Shapira, Yoav wrote: Hi, Add a listings parameter to the DefaultServlet in conf/web.xml with a param-value of false. IIRC. Yoav Shapira http://www.yoavshapira.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Preventing users getting accessing to directory contents in Tomcat
test.html === test.jsp test.jsp === <%=request.getHeader("REFERER")%> On Wed, 2004-11-10 at 08:17, Paul Taylor wrote: > please how do I do that ? > Ben Souther wrote: > > >You could check the referrer header to make sure that the request came > >from start.jsp > > > > > > > >On Wed, 2004-11-10 at 07:57, Paul Taylor wrote: > > > > > >>Point taken regarding images. > >> > >>But is this the only way to protect jsp ? > >>I have a directory structure as follows > >>/jsp/feedback/start.jsp > >>/jsp/feedback/finish.jsp > >> > >>I want them to be able to bookmark start.jsp and access it either > >>through the interface or directly from the url. but I dont want them to > >>access > >>finish.jsp directly because it doesnt make any sense as it is is only > >>shown after processing start.jsp. > >> > >> From what your saying I would have to either do > >>/WEB-INF/feedback/start.jsp > >>/WEB-INF/feedback/finish.jsp > >>which would mean they couldnt bookmark anything > >> > >>or do > >>/jsp/feedback/start.jsp > >>/WEB-INF/feedback/finish.jsp > >> > >>which screws up my links and stuff, meaning quite alot of rework and > >>stuff over the whole site. > >> > >>On a similar note, some of my jsps calls a servlet. In my web.xml it is > >>defined and url mapped as follows > >> > >>Controller > >>com.myapp.Controller > >>0 > >> > >> > >>Controller > >>/controller > >> > >> > >>My jsp would then call > >> >>action="<%=request.getContextPath()%>/controller"> > >>to call the servlet > >> > >>the trouble is the user can type directly into the url > >>localhost:8080/myapp/controller > >> > >>and call the servlet ot of context how do I stop that ? > >> > >> > >> > >> > >> > >>Tim Funk wrote: > >> > >> > >> > >>>You can't prevent images from being taken. > >>> > >>>As for JSP's. Move them to your WEB-INF directory. Then use a servlet > >>>to validate the incoming parameters and then forward to the JSP. > >>> > >>>-Tim > >>> > >>> > >>>Paul Taylor wrote: > >>> > >>> > >>> > Thanks works a treat > > Is there a similar way to prevent the user typing in the url of a > partciuar jsp or image and stop them being taken it. Ive looked at > security-constraints but this seems to be based on only > certain/logged in users gaining access. I have no concept of logged > users in my application but I only want them to access pages via the > interface rather than the url except for a few pages which they can > access via url to allow them to bookmark them. > > Shapira, Yoav wrote: > > > > >Hi, > >Add a listings parameter to the DefaultServlet in conf/web.xml with a > >param-value of false. IIRC. > > > >Yoav Shapira http://www.yoavshapira.com > > > > > > > > > > > >>>- > >>>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>>For additional commands, e-mail: [EMAIL PROTECTED] > >>> > >>> > >>> > >>> > >>- > >>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > >> > >> > > > > > > > > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Preventing users getting accessing to directory contents in Tomcat
The easy way is to make start.jsp a GET and all the other pages POST. When pages are bookmarked - they are asked for via GET requests. Code you JSP to look for the request method. If the method is NOT POST, then redirect them to some error page. (Or the start page) For example, in JSTL (but not verified) -Tim Paul Taylor wrote: Point taken regarding images. But is this the only way to protect jsp ? I have a directory structure as follows /jsp/feedback/start.jsp /jsp/feedback/finish.jsp I want them to be able to bookmark start.jsp and access it either through the interface or directly from the url. but I dont want them to access finish.jsp directly because it doesnt make any sense as it is is only shown after processing start.jsp. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Preventing users getting accessing to directory contents in Tomcat
Thanks Tim For all non JSTLers I added this to my page: <%if (request.getMethod().equals("GET")) { response.sendError(HttpServletResponse.SC_NOT_FOUND); } %> Tim Funk wrote: The easy way is to make start.jsp a GET and all the other pages POST. When pages are bookmarked - they are asked for via GET requests. Code you JSP to look for the request method. If the method is NOT POST, then redirect them to some error page. (Or the start page) For example, in JSTL (but not verified) -Tim Paul Taylor wrote: Point taken regarding images. But is this the only way to protect jsp ? I have a directory structure as follows /jsp/feedback/start.jsp /jsp/feedback/finish.jsp I want them to be able to bookmark start.jsp and access it either through the interface or directly from the url. but I dont want them to access finish.jsp directly because it doesnt make any sense as it is is only shown after processing start.jsp. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Preventing users getting accessing to directory contents in Tomcat
Actually make it: <% if (request.getMethod().equals("GET")) { response.sendError(HttpServletResponse.SC_NOT_FOUND); // Make sure return is here to STOP all processing - otherwise // You'll probably see IllegalStateExceptions return; } -Tim Paul Taylor wrote: Thanks Tim For all non JSTLers I added this to my page: <%if (request.getMethod().equals("GET")) { response.sendError(HttpServletResponse.SC_NOT_FOUND); } %> Tim Funk wrote: The easy way is to make start.jsp a GET and all the other pages POST. When pages are bookmarked - they are asked for via GET requests. Code you JSP to look for the request method. If the method is NOT POST, then redirect them to some error page. (Or the start page) For example, in JSTL (but not verified) -Tim Paul Taylor wrote: Point taken regarding images. But is this the only way to protect jsp ? I have a directory structure as follows /jsp/feedback/start.jsp /jsp/feedback/finish.jsp I want them to be able to bookmark start.jsp and access it either through the interface or directly from the url. but I dont want them to access finish.jsp directly because it doesnt make any sense as it is is only shown after processing start.jsp. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]