sometimes ago a friend of mine found that some jsp engines will show jsp source by appending chars like '/' or %00 (there are more examples). The cause of that is sun's java file io package will open a file even if there are wired stuff appended to the end. At the same time the engine think the requested string is not a jsp because there are things appended to it.
Since you brought it up I think it is a good time to put it on the mailing list. Gang The source of the jsp could be hamfull to be seen if it contains passwords to database systems or other such info. It might be a good idea to use a bean to to that kind of the stuff and just let the jsp invoke the bean ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, February 28, 2003 2:45 PM Subject: Re: Is JSP or Servlet more secure? > Thanks for your quick response Mike. One reason I asked this question - On > Google, Servlet+Security gives 258,000 hits, while JSP+Security nets > 1,240,000 hits. > > One reason could be that since JSPs are easier to use, and more is > written about it. > > There was another reason it could be so (speculation follows). The servlet > classes are put in WEB-INF that is only readable by server (at least in > Tomcat). > JSPs are generally in HTML area that are easier to get to. Even > generated servlets > from JSPs land up in work directory, that may be easier to get to than > WEB-INF. > Just wondering whether this relatively easier access to source of JSPs > may be a > potential vulnerability. > > das > > Mike Silvers wrote: > > >No. The main difference is the ease of use for creating HTML documents. > >The jsp makes it easier to create HTML documents. When a jsp is used, it > >is first compiled into a servlet and then used. > > > >Mike > > > >----- Original Message ----- > >From: <[EMAIL PROTECTED]> > >To: <[EMAIL PROTECTED]> > >Sent: Friday, February 28, 2003 2:12 PM > >Subject: Is JSP or Servlet more secure? > > > > > >>For creating a totally new web site, is there any difference from > >>security point of view of using only servlets or using only JSPs? > >> > >>das > >> > > ___________________________________________________________________________ > To unsubscribe, send email to [EMAIL PROTECTED] and include in the body > of the message "signoff SERVLET-INTEREST". > > Archives: http://archives.java.sun.com/archives/servlet-interest.html > Resources: http://java.sun.com/products/servlet/external-resources.html > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html > ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
