, January 13, 2003 11:55 PM
To: Struts Users Mailing List
Subject: RE: Controlling Direct Access to jsp pages
Here's an approach that works with WebLogic 7. All the JSP's except
index.jsp
(the welcome page) are kept in a directory called pages. index.jsp simply
contains:
%@ taglib prefix=logic uri=http
: Controlling Direct Access to jsp pages
Adrian,
I saw a lot of answers to your question regarding how to protect the jsp
files. I think protecting direct access to the jsp files is only one
thing. The other is, to force the execution of the associated actions in
the right order, i. e. step3.do
List
Subject: RE: Controlling Direct Access to jsp pages
Here's an approach that works with WebLogic 7. All the JSP's except
index.jsp
(the welcome page) are kept in a directory called pages. index.jsp simply
contains:
%@ taglib prefix=logic uri=http://jakarta.apache.org/struts/tags-logic
Hi
If I have three pages in my view layer that must be called in sequence e.g.
- step1.jsp then
- step2.jsp then
- step3.jsp
How do I ensure that my users do not call step2 and step3 directly via a
web browser. Do I need to use a custom tag in pages 2 and 3 to check this
or is there some
: Colquhoun, Adrian [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 13, 2003 10:41 AM
To: '[EMAIL PROTECTED]'
Subject: Controlling Direct Access to jsp pages
Hi
If I have three pages in my view layer that must be called in
sequence e.g.
- step1.jsp then
- step2.jsp
Mitchell
-Original Message-
From: Colquhoun, Adrian [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 13, 2003 10:41 AM
To: '[EMAIL PROTECTED]'
Subject: Controlling Direct Access to jsp pages
Hi
If I have three pages in my view layer that must be called in
sequence e.g
List'
Subject: RE: Controlling Direct Access to jsp pages
I place them all under /WEB-INF and force them to go through my action
classes.
There are other ways, but this is the most convenient for me.
disclaimer
Use at your own risk.
Not all containers support doing it this way.
/disclaimer
]' [EMAIL PROTECTED]
Subject: Controlling Direct Access to jsp pages
Date: Mon, 13 Jan 2003 15:40:45 -
Hi
If I have three pages in my view layer that must be called in sequence e.g.
- step1.jsp then
- step2.jsp then
- step3.jsp
How do I ensure that my users do not call step2 and step3 directly
role-namenobody/role-name
/security-role
David
From: Colquhoun, Adrian [EMAIL PROTECTED]
Reply-To: Struts Users Mailing List [EMAIL PROTECTED]
To: '[EMAIL PROTECTED]' [EMAIL PROTECTED]
Subject: Controlling Direct Access to jsp pages
Date: Mon, 13 Jan 2003 15:40:45 -
Hi
If I have
PROTECTED]
} Subject: Controlling Direct Access to jsp pages
}
}
}
} Hi
}
} If I have three pages in my view layer that must be called in sequence e.g.
}
} - step1.jsp then
} - step2.jsp then
} - step3.jsp
}
} How do I ensure that my users do not call step2 and step3 directly via a
} web
To: Struts Users Mailing List
Subject: RE: Controlling Direct Access to jsp pages
IMO these are two bad solutions
+ Setting an attribute can be bypassed doing
/page2.jsp?referer=true
+ I am almost sure HTTP headers can be modified easily, so using http
referer header may be unsafe...
See
]
Subject: Re: Controlling Direct Access to jsp pages
Put this security info at the bottom of your web.xml to prevent access to
any *.jsp file:
security-constraint
web-resource-collection
web-resource-nameSecureAllJSPs/web-resource-name
-
From: David Graham [mailto:[EMAIL PROTECTED]]
Sent: 13 January 2003 15:54
To: [EMAIL PROTECTED]
Subject: Re: Controlling Direct Access to jsp pages
Put this security info at the bottom of your web.xml to prevent access to
any *.jsp file:
security-constraint
web
:[EMAIL PROTECTED]]
Sent: 13 January 2003 15:57
To: [EMAIL PROTECTED]
Subject: RE: Controlling Direct Access to jsp pages
I've heard of this approach to protecting access to JSP pages but I've
never been able to get it to work. How, exactly, do you route to a JSP
in the /WEB-INF directory? Could you
?
-Original Message-
From: David Graham [mailto:[EMAIL PROTECTED]]
Sent: 13 January 2003 15:54
To: [EMAIL PROTECTED]
Subject: Re: Controlling Direct Access to jsp pages
Put this security info at the bottom of your web.xml to prevent access to
any *.jsp file:
security-constraint
-constraint/auth-constraint
/security-constraint
-Original Message-
From: Kris Schneider [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 13, 2003 12:25 PM
To: Struts Users Mailing List
Subject: RE: Controlling Direct Access to jsp pages
Here's an approach that works with WebLogic 7
-Original Message-
From: Colquhoun, Adrian
Sent: 13 January 2003 16:37
To: 'Struts Users Mailing List'
Subject: RE: Controlling Direct Access to jsp pages
I have had a go at this - I get a 500 error message Cannot perform access
control without an authenticated principal - presumably
-Original Message-
From: Colquhoun, Adrian
Sent: 13 January 2003 16:49
To: 'Struts Users Mailing List'
Subject: RE: Controlling Direct Access to jsp pages
I have got this to work under tomcat 4.1 - I modified my struts config file
as follows
actionpath=/register/step1
Access to jsp pages
Date: Mon, 13 Jan 2003 16:51:48 -
-Original Message-
From: Colquhoun, Adrian
Sent: 13 January 2003 16:37
To: 'Struts Users Mailing List'
Subject: RE: Controlling Direct Access to jsp pages
I have had a go at this - I get a 500 error message Cannot perform access
Adrian,
I saw a lot of answers to your question regarding how to protect the jsp
files. I think protecting direct access to the jsp files is only one
thing. The other is, to force the execution of the associated actions in
the right order, i. e. step3.do after step2.do and this one after
20 matches
Mail list logo