> -----Original Message-----
> From: David Geary [mailto:[EMAIL PROTECTED]]
> Sent: November 14, 2000 3:20 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: *.jsp "back door" issue
>
> Joel Schneider wrote:
>
> > Description of Problem:
> >
> > A typical Struts based web site might be configured to have requests
> > matching the pattern"*.do" sent to the ActionServlet.
> After a request is
> > handled by its Action class, processing is typically
> forwarded to a .jsp
> > page.
> >
> > However, it's also possible for users to directly request a
> .jsp page.
> > When this happens, the JSP container (in my case, Orion)
> will process the
> > .jsp page without any involvement by the ActionServlet.
> Some .jsp pages
> > may yield unexpected results when called in this manner.
>
> Put those JSP pages in a directory under WEB-INF; for
> example, WEB-INF/jsp.
> Files under the WEB-INF directory cannot be directly accessed.
The other thing I've seen done when you don't want somebody to ever
accidentally run a .JSP is to rename it to something else (Arsdigita
Community System, java version, does this, by having .JSP pages which do an
include on other JSP pages with the extension '.tpl' (for template).
Directly accessing the .tpl file from a browser would not trigger the JSP
handler. This would not stop the user from seeing the raw page though, so it
is still probably best to put them somewhere inaccessible as above...
