RE: Disable JSP ?

David Winterfeldt Thu, 17 May 2001 13:29:37 -0700
Some people put JSP files in their WEB-INF directory. 
No direct access is allowed by a user to anything
under the WEB-INF directory, but you can forward a
user there and do includes from there.  I've done this
to hide JSP template pages.

David

--- "Hicks, James" <[EMAIL PROTECTED]> wrote:
> You can use the <security-constraint/> and
> <security-role/> tags in your
> deployment description to block access to a JSP
> page.  The only problem with
> this is you have to list every single jsp file you
> want to protect.  You
> cant use the '*.jsp' expression to hide all jsp
> files. 
> 
> --- start web.xml ---
> <web-app>
> ....
>   <security-role>
>     <role-name>hiddenrole</role-name>
>   </security-role>
>   <security-constraint>
>     <web-resource-collection>
>      
> <web-resource-name>noaccess</web-resource-name>
>       <url-pattern>/myFile.jsp</url-pattern>
>       <url-pattern>/myOtherFile.jsp</url-pattern>
>     </web-resource-collection>
>     <auth-constraint>
>       <role-name>hiddenrole</role-name>
>     </auth-constraint>
>   </security-constraint>
> </web-app>
> --- end web.xml ---
> 
> James Hicks
> 
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] 
> Sent: Monday, May 14, 2001 8:19 AM
> To: [EMAIL PROTECTED]
> Subject: Disable JSP ?
> 
> Hello struts users,
> I just have a little question about application
> server 
> configuration. Well, i never use direct link between
> JSP, 
> i always use Action even if there is nothing to do,
> then 
> I can control the path of users into my site.
> That's why I don't want user be able to call
> directly a 
> JSP. I tried to disable JSP access in my web.xml
> file but 
> it works too good. Indeed, even Action forwarding
> (JSP) 
> are concerned about this rule, so I can't visualize
> any 
> JSP.
> Here is the concerned code in (web.xml):  
> <servlet>
>   <servlet-name>controlFlowException</servlet-name>
>   <jsp-file>controlFlowException.jsp</jsp-file>
> </servlet>
> 
> <!-- Control Flow Mapping -->
> <servlet-mapping>
>   <servlet-name>controlFlowException</servlet-name>
>   <url-pattern>*.jsp</url-pattern>
> </servlet-mapping>
> 


__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/
RE: Disable JSP ?

Reply via email to
