RE: Mapping JSP
Thank-you, that worked famously. Regards, Jimmy Ray --- "Ramu, Vinod" <[EMAIL PROTECTED]> wrote: > Use XML element (under node) in > your web.xml. Then > dispatch the request to this resource using > ServletContext.getNamedDispatcher("nameoftheresource"). > If you use this > method there is no need to use any path. It > identifies the resources > based on the name that you pass. > > Vinod > > -Original Message- > From: Jimmy Ray [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 17, 2005 4:31 PM > To: tomcat-user@jakarta.apache.org > Subject: Mapping JSP > > > I have several JSP that I want to be able to forward > to from servlets. Right now I stick my JSP in > WEB-INF/jsp for security reasons. I guess I need a > way to include a JSP mapping in the web.xml so that > my > request dispatcher call does not include the WEB-INF > directory in its path. Anyone know the syntax for > this JSP mapping? > > Regards, > > Jimmy Ray > > > > __ > Do you Yahoo!? > Yahoo! Small Business - Try our new resources site! > http://smallbusiness.yahoo.com/resources/ > > - > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > > > - > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > > __ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Mapping JSP
Use XML element (under node) in your web.xml. Then dispatch the request to this resource using ServletContext.getNamedDispatcher("nameoftheresource"). If you use this method there is no need to use any path. It identifies the resources based on the name that you pass. Vinod -Original Message- From: Jimmy Ray [mailto:[EMAIL PROTECTED] Sent: Thursday, March 17, 2005 4:31 PM To: tomcat-user@jakarta.apache.org Subject: Mapping JSP I have several JSP that I want to be able to forward to from servlets. Right now I stick my JSP in WEB-INF/jsp for security reasons. I guess I need a way to include a JSP mapping in the web.xml so that my request dispatcher call does not include the WEB-INF directory in its path. Anyone know the syntax for this JSP mapping? Regards, Jimmy Ray __ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Mapping .jsp to controller servlet
Januski, Ken wrote: Thanks Eric, I know that I do need to learn about filters. It's just something I don't feel like I'm up for at the moment, though I may find it surprisingly easy once I finally look into it. I'll take a look at the articles. I felt the same way until I took a closer look and realized that it's not really much different from a servlet. The concept is pretty simple actually. I know that you use JSPs in your app, not sure if you use servlets -- but if you have written a few servlets, then the Filter will be a breeze. Erik - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Mapping .jsp to controller servlet
Thanks Eric, I know that I do need to learn about filters. It's just something I don't feel like I'm up for at the moment, though I may find it surprisingly easy once I finally look into it. I'll take a look at the articles. Ken -Original Message- From: Erik Price [mailto:[EMAIL PROTECTED] Sent: Monday, February 24, 2003 10:58 AM To: Tomcat Users List Subject: Re: Mapping .jsp to controller servlet Januski, Ken wrote: > I've found a workaround for the time being. Each .jsp page has access to a > bean that includes login info. I changed jsp page to test to see if the > login flag is true. If so nothing happens. If not then I use jsp:forward to > send it back to the login.jsp page. > > So this will work until I feel ready to explore filters. That sounds like a good solution. If and when you do explore them, there is a good article here (that helped me): http://www.javaworld.com/javaworld/jw-01-2001/jw-0126-servletapi.html and when you're done with that, http://www.javaworld.com/javaworld/jw-06-2001/jw-0622-filters.html Erik - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Mapping .jsp to controller servlet
Januski, Ken wrote: I've found a workaround for the time being. Each .jsp page has access to a bean that includes login info. I changed jsp page to test to see if the login flag is true. If so nothing happens. If not then I use jsp:forward to send it back to the login.jsp page. So this will work until I feel ready to explore filters. That sounds like a good solution. If and when you do explore them, there is a good article here (that helped me): http://www.javaworld.com/javaworld/jw-01-2001/jw-0126-servletapi.html and when you're done with that, http://www.javaworld.com/javaworld/jw-06-2001/jw-0622-filters.html Erik - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Mapping .jsp to controller servlet
You should use filters instead of a bean. They will greatly simplify what you are trying to do as Erik explained. When you create new JSP's, you will just be able to drop them in the mapped directory and they will automatically be protected by your filter. any JSP that is not protected by tomcat's authentication(as defined in your web.xml) or by a filter(for custom authentication) will be available to anyone who knows the URL. Otherwise no one would be able to see any of your pages. Charlie > -Original Message- > From: Januski, Ken [mailto:[EMAIL PROTECTED] > Sent: Friday, February 21, 2003 4:05 PM > To: Tomcat Users List > Subject: RE: Mapping .jsp to controller servlet > > > I've found a workaround for the time being. Each .jsp page > has access to a > bean that includes login info. I changed jsp page to test to > see if the > login flag is true. If so nothing happens. If not then I use > jsp:forward to > send it back to the login.jsp page. > > So this will work until I feel ready to explore filters. > > > > -Original Message- > From: Januski, Ken [mailto:[EMAIL PROTECTED] > Sent: Friday, February 21, 2003 1:33 PM > To: Tomcat Users List > Subject: RE: Mapping .jsp to controller servlet > > > Thanks Erik, > > I'm going to hold off for awhile and see if anyone clarifies > the public > nature of the .jsp files and any possible way around it. In > the meantime > I'll keep experimenting on my own. If that leads to nothing, > as I sort of > suspect it will, then it's on to filters and more questions > about them. > > Ken > > -----Original Message- > From: Erik Price [mailto:[EMAIL PROTECTED] > Sent: Friday, February 21, 2003 12:40 PM > To: Tomcat Users List > Subject: Re: Mapping .jsp to controller servlet > > > > > Januski, Ken wrote: > > Erik, > > > > Thanks. Sorry I haven't been clearer. The servlet does use > request.include. > > I just added a try/catch to it and noticed that it fails > when trying to > > include the file that I've put in WEB-INF. The error is > > "javax.servlet.ServletException: queries.jsp". > > Oh. Sorry about that. For some reason I remember someone on > this list > saying that they did something like putting their JSPs in WEB-INF and > include() or forward()ed to them. But I must have been mistaken. > > > I would like to get a few things clear before I pursue > filters, which I > > haven't used before. Is it true that any jsp file put in > root directory > will > > be accessible to anyone by just putting the url to it in browser? > > It is my understanding that this is how it is supposed to > work. I have > changed my own code to use servlets that forward to JSPs, but > originally > I started out with a setup that allowed users to directly > request JSPs. > It doesn't require any special extra effort on the part of > the developer. > > > And if so > > do you or anyone else know if moving it to a protected > folder should solve > > it. I know that's your theory. If it's correct then for now > I'll pursue > > getting that to work. If not then I guess I'll need to take > a closer look > at > > filters. > > Hopefully someone else can clarify. But the theory would go > like this: > > 1. All JSPs are tucked away in a subdirectory. > 2. A filter is mapped to any requests of any resource under that > subdirectory. > 3. The filter checks the session to determine if the user making the > request is properly authenticated. If so, do nothing > (actually, doing > nothing really means allowing the filter to call its "doFilterChain" > method, which in this case would allow the request to pass > through since > the JSP itself is the next resource in the chain). > However, if the user's session indicates that the user is not > authenticated, you could call response.sendRedirect() to send > the user > to another page or servlet or perhaps the Login resource. > However, be > sure to put a return statement immediately after the call to > "sendRedirect" because I discovered (in implementing an > identical filter > to the one I am describing) that the sendRedirect doesn't happen fast > enough to stop the filter from calling "doFilterChain", and > that the JSP > would get served anyway. Putting a "return" in your filter > will prevent > the doFilterChain() from getting called. > > If this is confusing, fire away, I can explain this better in > more detail. &
RE: Mapping .jsp to controller servlet
Ken wrote: > I found the following code from struts user list archive and it does what I > want. I'm not sure why I couldn't get WEB-INF to work but this may be a > better solution all in all. It may be... I hear that putting JSP's under WEB-INF isn't portable across containers. At least one of them interprets the spec more strictly and refuses to show *anything* under WEB-INF rather than just preventing direct access to it. -- Wendy Smoak Applications Systems Analyst, Sr. Arizona State University PA Information Resources Management
RE: Mapping .jsp to controller servlet
Thanks Wendy, I found the following code from struts user list archive and it does what I want. I'm not sure why I couldn't get WEB-INF to work but this may be a better solution all in all. SecureAllJSPs *.jsp Protects all JSP files from direct access. Clients must go through the controller servlet. nobody No one should be put in this role. nobody Ken -Original Message- From: Wendy Smoak [mailto:[EMAIL PROTECTED] Sent: Friday, February 21, 2003 4:20 PM To: 'Tomcat Users List' Subject: RE: Mapping .jsp to controller servlet > I've found a workaround for the time being. Each .jsp page has access to a > bean that includes login info. I changed jsp page to test to see if the > login flag is true. If so nothing happens. If not then I use jsp:forward to > send it back to the login.jsp page. > So this will work until I feel ready to explore filters. Search the Struts user list for options as this comes up repeatedly there. In some cases, if the users don't go through the controller servlet then things don't work right. In addition to putting the JSP's under WEB-INF, another method I've seen described is to configure security to protect all JSP's with a role like "nobody" and then don't assign anyone to that role. -- Wendy Smoak Applications Systems Analyst, Sr. Arizona State University PA Information Resources Management - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Mapping .jsp to controller servlet
> I've found a workaround for the time being. Each .jsp page has access to a > bean that includes login info. I changed jsp page to test to see if the > login flag is true. If so nothing happens. If not then I use jsp:forward to > send it back to the login.jsp page. > So this will work until I feel ready to explore filters. Search the Struts user list for options as this comes up repeatedly there. In some cases, if the users don't go through the controller servlet then things don't work right. In addition to putting the JSP's under WEB-INF, another method I've seen described is to configure security to protect all JSP's with a role like "nobody" and then don't assign anyone to that role. -- Wendy Smoak Applications Systems Analyst, Sr. Arizona State University PA Information Resources Management
RE: Mapping .jsp to controller servlet
I've found a workaround for the time being. Each .jsp page has access to a bean that includes login info. I changed jsp page to test to see if the login flag is true. If so nothing happens. If not then I use jsp:forward to send it back to the login.jsp page. So this will work until I feel ready to explore filters. -Original Message- From: Januski, Ken [mailto:kjanuski@xx] Sent: Friday, February 21, 2003 1:33 PM To: Tomcat Users List Subject: RE: Mapping .jsp to controller servlet Thanks Erik, I'm going to hold off for awhile and see if anyone clarifies the public nature of the .jsp files and any possible way around it. In the meantime I'll keep experimenting on my own. If that leads to nothing, as I sort of suspect it will, then it's on to filters and more questions about them. Ken -Original Message- From: Erik Price [mailto:eprice@xxx] Sent: Friday, February 21, 2003 12:40 PM To: Tomcat Users List Subject: Re: Mapping .jsp to controller servlet Januski, Ken wrote: > Erik, > > Thanks. Sorry I haven't been clearer. The servlet does use request.include. > I just added a try/catch to it and noticed that it fails when trying to > include the file that I've put in WEB-INF. The error is > "javax.servlet.ServletException: queries.jsp". Oh. Sorry about that. For some reason I remember someone on this list saying that they did something like putting their JSPs in WEB-INF and include() or forward()ed to them. But I must have been mistaken. > I would like to get a few things clear before I pursue filters, which I > haven't used before. Is it true that any jsp file put in root directory will > be accessible to anyone by just putting the url to it in browser? It is my understanding that this is how it is supposed to work. I have changed my own code to use servlets that forward to JSPs, but originally I started out with a setup that allowed users to directly request JSPs. It doesn't require any special extra effort on the part of the developer. > And if so > do you or anyone else know if moving it to a protected folder should solve > it. I know that's your theory. If it's correct then for now I'll pursue > getting that to work. If not then I guess I'll need to take a closer look at > filters. Hopefully someone else can clarify. But the theory would go like this: 1. All JSPs are tucked away in a subdirectory. 2. A filter is mapped to any requests of any resource under that subdirectory. 3. The filter checks the session to determine if the user making the request is properly authenticated. If so, do nothing (actually, doing nothing really means allowing the filter to call its "doFilterChain" method, which in this case would allow the request to pass through since the JSP itself is the next resource in the chain). However, if the user's session indicates that the user is not authenticated, you could call response.sendRedirect() to send the user to another page or servlet or perhaps the Login resource. However, be sure to put a return statement immediately after the call to "sendRedirect" because I discovered (in implementing an identical filter to the one I am describing) that the sendRedirect doesn't happen fast enough to stop the filter from calling "doFilterChain", and that the JSP would get served anyway. Putting a "return" in your filter will prevent the doFilterChain() from getting called. If this is confusing, fire away, I can explain this better in more detail. Erik - To unsubscribe, e-mail: tomcat-user-unsubscribe@xx For additional commands, e-mail: tomcat-user-help@xx - To unsubscribe, e-mail: tomcat-user-unsubscribe@xx For additional commands, e-mail: tomcat-user-help@xx - To unsubscribe, e-mail: tomcat-user-unsubscribe@xx For additional commands, e-mail: tomcat-user-help@xx
RE: Mapping .jsp to controller servlet
Thanks Erik, I'm going to hold off for awhile and see if anyone clarifies the public nature of the .jsp files and any possible way around it. In the meantime I'll keep experimenting on my own. If that leads to nothing, as I sort of suspect it will, then it's on to filters and more questions about them. Ken -Original Message- From: Erik Price [mailto:eprice@xxx] Sent: Friday, February 21, 2003 12:40 PM To: Tomcat Users List Subject: Re: Mapping .jsp to controller servlet Januski, Ken wrote: > Erik, > > Thanks. Sorry I haven't been clearer. The servlet does use request.include. > I just added a try/catch to it and noticed that it fails when trying to > include the file that I've put in WEB-INF. The error is > "javax.servlet.ServletException: queries.jsp". Oh. Sorry about that. For some reason I remember someone on this list saying that they did something like putting their JSPs in WEB-INF and include() or forward()ed to them. But I must have been mistaken. > I would like to get a few things clear before I pursue filters, which I > haven't used before. Is it true that any jsp file put in root directory will > be accessible to anyone by just putting the url to it in browser? It is my understanding that this is how it is supposed to work. I have changed my own code to use servlets that forward to JSPs, but originally I started out with a setup that allowed users to directly request JSPs. It doesn't require any special extra effort on the part of the developer. > And if so > do you or anyone else know if moving it to a protected folder should solve > it. I know that's your theory. If it's correct then for now I'll pursue > getting that to work. If not then I guess I'll need to take a closer look at > filters. Hopefully someone else can clarify. But the theory would go like this: 1. All JSPs are tucked away in a subdirectory. 2. A filter is mapped to any requests of any resource under that subdirectory. 3. The filter checks the session to determine if the user making the request is properly authenticated. If so, do nothing (actually, doing nothing really means allowing the filter to call its "doFilterChain" method, which in this case would allow the request to pass through since the JSP itself is the next resource in the chain). However, if the user's session indicates that the user is not authenticated, you could call response.sendRedirect() to send the user to another page or servlet or perhaps the Login resource. However, be sure to put a return statement immediately after the call to "sendRedirect" because I discovered (in implementing an identical filter to the one I am describing) that the sendRedirect doesn't happen fast enough to stop the filter from calling "doFilterChain", and that the JSP would get served anyway. Putting a "return" in your filter will prevent the doFilterChain() from getting called. If this is confusing, fire away, I can explain this better in more detail. Erik - To unsubscribe, e-mail: tomcat-user-unsubscribe@xx For additional commands, e-mail: tomcat-user-help@xx - To unsubscribe, e-mail: tomcat-user-unsubscribe@xx For additional commands, e-mail: tomcat-user-help@xx
Re: Mapping .jsp to controller servlet
Januski, Ken wrote: Erik, Thanks. Sorry I haven't been clearer. The servlet does use request.include. I just added a try/catch to it and noticed that it fails when trying to include the file that I've put in WEB-INF. The error is "javax.servlet.ServletException: queries.jsp". Oh. Sorry about that. For some reason I remember someone on this list saying that they did something like putting their JSPs in WEB-INF and include() or forward()ed to them. But I must have been mistaken. I would like to get a few things clear before I pursue filters, which I haven't used before. Is it true that any jsp file put in root directory will be accessible to anyone by just putting the url to it in browser? It is my understanding that this is how it is supposed to work. I have changed my own code to use servlets that forward to JSPs, but originally I started out with a setup that allowed users to directly request JSPs. It doesn't require any special extra effort on the part of the developer. And if so do you or anyone else know if moving it to a protected folder should solve it. I know that's your theory. If it's correct then for now I'll pursue getting that to work. If not then I guess I'll need to take a closer look at filters. Hopefully someone else can clarify. But the theory would go like this: 1. All JSPs are tucked away in a subdirectory. 2. A filter is mapped to any requests of any resource under that subdirectory. 3. The filter checks the session to determine if the user making the request is properly authenticated. If so, do nothing (actually, doing nothing really means allowing the filter to call its "doFilterChain" method, which in this case would allow the request to pass through since the JSP itself is the next resource in the chain). However, if the user's session indicates that the user is not authenticated, you could call response.sendRedirect() to send the user to another page or servlet or perhaps the Login resource. However, be sure to put a return statement immediately after the call to "sendRedirect" because I discovered (in implementing an identical filter to the one I am describing) that the sendRedirect doesn't happen fast enough to stop the filter from calling "doFilterChain", and that the JSP would get served anyway. Putting a "return" in your filter will prevent the doFilterChain() from getting called. If this is confusing, fire away, I can explain this better in more detail. Erik - To unsubscribe, e-mail: tomcat-user-unsubscribe@xx For additional commands, e-mail: tomcat-user-help@xx
RE: Mapping .jsp to controller servlet
Erik, Thanks. Sorry I haven't been clearer. The servlet does use request.include. I just added a try/catch to it and noticed that it fails when trying to include the file that I've put in WEB-INF. The error is "javax.servlet.ServletException: queries.jsp". I would like to get a few things clear before I pursue filters, which I haven't used before. Is it true that any jsp file put in root directory will be accessible to anyone by just putting the url to it in browser? And if so do you or anyone else know if moving it to a protected folder should solve it. I know that's your theory. If it's correct then for now I'll pursue getting that to work. If not then I guess I'll need to take a closer look at filters. Thanks again, Ken -Original Message- From: Erik Price [mailto:[EMAIL PROTECTED]] Sent: Friday, February 21, 2003 11:51 AM To: Tomcat Users List Subject: Re: Mapping .jsp to controller servlet Januski, Ken wrote: > Hmm. I got a 404 error after moving one jsp file to WEB-INF and trying to > directly access it. That's not great but at least it prevents access. Worse > though is that when I then try to go to page after having logged in I get a > "root cause: file not found error". So it looks to me like you can't move > your .jsp files out of the root web-app directory. Can anyone shed any more > light on this? Oh, I didn't realize you were still trying to directly access the JSPs after login. I made the assumption that you were only using the "forward" method of RequestDispatcher to forward to those JSPs from your servlets. If you need to allow those JSPs to be directly accessed via HTTP requests, my solution won't work. Perhaps you can move them to a subfolder (not WEB-INF) and map a filter to it which only calls doFilterChain() if the user has a valid session and is "logged in"? If the subfolder was called "/protected", you could use the URL pattern "/protected/*" as your filter mapping. Erik - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Mapping .jsp to controller servlet
Januski, Ken wrote: Hmm. I got a 404 error after moving one jsp file to WEB-INF and trying to directly access it. That's not great but at least it prevents access. Worse though is that when I then try to go to page after having logged in I get a "root cause: file not found error". So it looks to me like you can't move your .jsp files out of the root web-app directory. Can anyone shed any more light on this? Oh, I didn't realize you were still trying to directly access the JSPs after login. I made the assumption that you were only using the "forward" method of RequestDispatcher to forward to those JSPs from your servlets. If you need to allow those JSPs to be directly accessed via HTTP requests, my solution won't work. Perhaps you can move them to a subfolder (not WEB-INF) and map a filter to it which only calls doFilterChain() if the user has a valid session and is "logged in"? If the subfolder was called "/protected", you could use the URL pattern "/protected/*" as your filter mapping. Erik - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Mapping .jsp to controller servlet
Hmm. I got a 404 error after moving one jsp file to WEB-INF and trying to directly access it. That's not great but at least it prevents access. Worse though is that when I then try to go to page after having logged in I get a "root cause: file not found error". So it looks to me like you can't move your .jsp files out of the root web-app directory. Can anyone shed any more light on this? -Original Message- From: Januski, Ken [mailto:[EMAIL PROTECTED]] Sent: Friday, February 21, 2003 11:36 AM To: Tomcat Users List Subject: RE: Mapping .jsp to controller servlet Erik, That's exactly what I want: no direct access but only through servlet. I'll try moving one to WEB-INF and see if that solves the problem. Ken -Original Message- From: Erik Price [mailto:[EMAIL PROTECTED]] Sent: Friday, February 21, 2003 11:32 AM To: Tomcat Users List Subject: Re: Mapping .jsp to controller servlet I may not be entirely clear on what you're saying, but if you're saying that no one should directly be able to request your JSPs and instead they should only access the contents of your site by requesting Servlet resources (which then forward to JSPs), perhaps it would be worth moving the JSPs into WEB-INF where they cannot be touched? AFAIK, you can still have the servlets dispatcher.forward() to the JSPs if you do this. Erik Januski, Ken wrote: > Yesterday I noticed that an application that has been running successfully > for about a year has a problem I've never noticed before. It's set up so > that all access to web-app is through a login method that calls a login.jsp > page from a controller servlet. So all requests to jsp pages get redirected > to the login page. But yesterday I noticed that if I included .jsp in the > address the controller servlet and the login.jsp are completely bypassed and > access is given to the jsp page. > > I've also recently changed the login method to use JCIFS and authenticate > against NT domain controller rather than a mySQL database and I suppose it's > possible that the problem is actually there. In investigating this though > I've read that .jsp pages are public, which indicates to me that they CAN be > accessed directly. Can anyone tell me if this is true. In other words is > mapping .jsp to a servlet fruitless? If not then I guess I can conclude that > it's the login method that is failing not the mapping. I've included this in > my web.xml to force redirection of all .jsp page to the servlet but it seems > to have no effect. > > The relevant portion of web.xml, mapped to servlet named 'sysadmin' further > up in web.xml. > > > > sysadmin > > > .*jsp > > > > Thanks for any info, > > Ken > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Mapping .jsp to controller servlet
Erik, That's exactly what I want: no direct access but only through servlet. I'll try moving one to WEB-INF and see if that solves the problem. Ken -Original Message- From: Erik Price [mailto:[EMAIL PROTECTED]] Sent: Friday, February 21, 2003 11:32 AM To: Tomcat Users List Subject: Re: Mapping .jsp to controller servlet I may not be entirely clear on what you're saying, but if you're saying that no one should directly be able to request your JSPs and instead they should only access the contents of your site by requesting Servlet resources (which then forward to JSPs), perhaps it would be worth moving the JSPs into WEB-INF where they cannot be touched? AFAIK, you can still have the servlets dispatcher.forward() to the JSPs if you do this. Erik Januski, Ken wrote: > Yesterday I noticed that an application that has been running successfully > for about a year has a problem I've never noticed before. It's set up so > that all access to web-app is through a login method that calls a login.jsp > page from a controller servlet. So all requests to jsp pages get redirected > to the login page. But yesterday I noticed that if I included .jsp in the > address the controller servlet and the login.jsp are completely bypassed and > access is given to the jsp page. > > I've also recently changed the login method to use JCIFS and authenticate > against NT domain controller rather than a mySQL database and I suppose it's > possible that the problem is actually there. In investigating this though > I've read that .jsp pages are public, which indicates to me that they CAN be > accessed directly. Can anyone tell me if this is true. In other words is > mapping .jsp to a servlet fruitless? If not then I guess I can conclude that > it's the login method that is failing not the mapping. I've included this in > my web.xml to force redirection of all .jsp page to the servlet but it seems > to have no effect. > > The relevant portion of web.xml, mapped to servlet named 'sysadmin' further > up in web.xml. > > > > sysadmin > > > .*jsp > > > > Thanks for any info, > > Ken > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Mapping .jsp to controller servlet
I may not be entirely clear on what you're saying, but if you're saying that no one should directly be able to request your JSPs and instead they should only access the contents of your site by requesting Servlet resources (which then forward to JSPs), perhaps it would be worth moving the JSPs into WEB-INF where they cannot be touched? AFAIK, you can still have the servlets dispatcher.forward() to the JSPs if you do this. Erik Januski, Ken wrote: Yesterday I noticed that an application that has been running successfully for about a year has a problem I've never noticed before. It's set up so that all access to web-app is through a login method that calls a login.jsp page from a controller servlet. So all requests to jsp pages get redirected to the login page. But yesterday I noticed that if I included .jsp in the address the controller servlet and the login.jsp are completely bypassed and access is given to the jsp page. I've also recently changed the login method to use JCIFS and authenticate against NT domain controller rather than a mySQL database and I suppose it's possible that the problem is actually there. In investigating this though I've read that .jsp pages are public, which indicates to me that they CAN be accessed directly. Can anyone tell me if this is true. In other words is mapping .jsp to a servlet fruitless? If not then I guess I can conclude that it's the login method that is failing not the mapping. I've included this in my web.xml to force redirection of all .jsp page to the servlet but it seems to have no effect. The relevant portion of web.xml, mapped to servlet named 'sysadmin' further up in web.xml. sysadmin .*jsp Thanks for any info, Ken - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]