Re: Disabling JSP's
Check that solution [1], is better and should works for any kind of servlet container; putting files under WEB-INF is not always good because there isn't strict specification to protect files under WEB-INF - it works for Tomcat but I don't know if it does for others. [1] http://www.java-samples.com/showtutorial.php?tutorialid=579 Regards -- Lukasz http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Disabling JSP's
Put you pages under web-inf On May 15, 2009, at 1:36 PM, Timothy Orme to...@genome.med.harvard.edu wrote: Hello All, I'm in the process of migrating pages from JSP's using snippets to struts actions. I'm wondering how people have disabled access to JSP's so that they cannot be accessed outside of the action anymore. Right now if I have an action like: action name=ViewIndex class=action.BaseAction result name=success/private/index.jsp/result /action There is nothing preventing the user from just browsing directly to /private/index.jsp instead of accessing it through the Action URL. This could have some bad implications about security, but also might just look bad if a page that should be receiving data from an action no longer has the source. How have people worked around this in the past? -Tim Orme - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Disabling JSP's
Put the JSP under /WEB-INF -- it is accessible to Struts routing but not directly viewable by end clients. jk On Fri, May 15, 2009 at 2:36 PM, Timothy Orme to...@genome.med.harvard.eduwrote: Hello All, I'm in the process of migrating pages from JSP's using snippets to struts actions. I'm wondering how people have disabled access to JSP's so that they cannot be accessed outside of the action anymore. Right now if I have an action like: action name=ViewIndex class=action.BaseAction result name=success/private/index.jsp/result /action There is nothing preventing the user from just browsing directly to /private/index.jsp instead of accessing it through the Action URL. This could have some bad implications about security, but also might just look bad if a page that should be receiving data from an action no longer has the source. How have people worked around this in the past? -Tim Orme - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- Jim Kiley Senior Technical Consultant | Summa [p] 412.258.3346 http://www.summa-tech.com
Re: Disabling JSP's
Ah perfect, I was not aware this was the case. Thanks! Jim Kiley wrote: Put the JSP under /WEB-INF -- it is accessible to Struts routing but not directly viewable by end clients. jk On Fri, May 15, 2009 at 2:36 PM, Timothy Orme to...@genome.med.harvard.eduwrote: Hello All, I'm in the process of migrating pages from JSP's using snippets to struts actions. I'm wondering how people have disabled access to JSP's so that they cannot be accessed outside of the action anymore. Right now if I have an action like: action name=ViewIndex class=action.BaseAction result name=success/private/index.jsp/result /action There is nothing preventing the user from just browsing directly to /private/index.jsp instead of accessing it through the Action URL. This could have some bad implications about security, but also might just look bad if a page that should be receiving data from an action no longer has the source. How have people worked around this in the past? -Tim Orme - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
