At 10:16 -0700 8/4/03, Martin Cooper wrote:
That sounds rather dangerous to me, unless you have some additional control
over which JSP pages can be accessed in this way. From your description, it
sounds like this gives the client blanket access to all the JSP pages in
your app, which I certainly wouldn't want.

I suppose it would, if they knew where the JSPs were. I thought about trying to integrate support for the "hide JSPs in /WEB-INF/" strategy, but since we use WL6 which doesn't permit that hiding, I decided to hold off.


Can you elaborate on the danger, though? I mean, I don't like people poking around either, but I can't think of critical risks to which this exposes an application. And if you can't use WEB-INF hiding, I don't see how this is any riskier than normal -- it's not much difference whether the client guesses paths ending in .jsp or guesses at paths ending in .do, I don't think.

As noted in another followup, the goal here is to make our HTML staff more self-sufficient. (Before long, we hope to have them on Mac OS X and trained in the rudiments of Struts config files and running a webapp with Ant, but we're not there yet.) Maybe our clients are just verbose, but the number of otherwise static pages we need to deal with makes a solution like this appealing.

Thanks for any security advice, certainly.

Joe

--
--
Joe Germuska [EMAIL PROTECTED] http://blog.germuska.com "If nature worked that way, the universe would crash all the time." --Jaron Lanier


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Reply via email to