Hi Jonathan, you don't have the problem with "RequestDispatching to JSPs underneath WEB-INF" in weblogic 5.1 with sp 10 any more.
regards, Turaj -----Original Message----- From: Jonathan M Crater [mailto:[EMAIL PROTECTED]] Sent: Montag, 24. September 2001 17:49 To: [EMAIL PROTECTED] Subject: security question i'm using weblogic 5.1, which does not allow RequestDispatching to JSPs underneath WEB-INF. so i'm stuck keeping my JSPs outside WEB-INF. as a result, i have to secure requests to both JSPs and actions. securing the actions is just a matter of sub-classing ActionServlet and providing logic to check for certain secured paths. the problem is i don't want to repeat the logic in the JSPs--either through a tag library or otherwise. does anyone have any suggestions as to how best to prevent a situation where a user requests a JSP page directly when it should have gone through the sub-classed ActionServlet? i was thinking of just setting a request parameter for each request as it passes through the ActionServlet. that way, in the JSP i can just test for that value to determine whether the request went through the proper channel. if not, i can redirect to an error page. thoughts? suggestions?
