David
From: Martin Cooper <[EMAIL PROTECTED]>
Reply-To: "Struts Users Mailing List" <[EMAIL PROTECTED]>
To: Struts Users Mailing List <[EMAIL PROTECTED]>
Subject: RE: JSP's under WEB-INF... or not
Date: Tue, 19 Nov 2002 21:54:00 -0800 (PST)
On Tue, 19 Nov 2002, David Graham wrote:
> You can keep your jsps in public folders and protect them with this security
> rule in your web.xml file. This keeps your application portable and
> prevents direct access to jsps. Just make sure nobody is added to the
> "nobody" role.
Just curious - why would one choose to do this instead of simply locating
their JSP pages under WEB-INF (which is also portable)?
--
Martin Cooper
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>SecureAllJSPs</web-resource-name>
> <url-pattern>*.jsp</url-pattern>
> </web-resource-collection>
>
> <auth-constraint>
> <description>
> No roles should be able to access a JSP directly. Everyone
> must go through the controller servlet.
> </description>
> <role-name>nobody</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-role>
> <description>
> Nobody should be in this role so jsp files are protected
> from direct access.
> </description>
> <role-name>nobody</role-name>
> </security-role>
>
>
>
>
>
>
> >From: "edgar" <[EMAIL PROTECTED]>
> >Reply-To: <[EMAIL PROTECTED]>
> >To: "'Struts Users Mailing List'" <[EMAIL PROTECTED]>
> >Subject: RE: JSP's under WEB-INF... or not
> >Date: Tue, 19 Nov 2002 18:42:52 -0500
> >
> >The only reason with struts to put the jsp's under the web-inf is to
> >guarantee that your actions are executed in the expected manner. If you
> >leave the jsp's in a public directory then it is possible to execute
> >them out of sequence or without the proper form load / unload since the
> >web server will just as happily give out the jsp as the action in a
> >public directory.
> >
> >The style sheets and images were not supposed to be moved to the web-inf
> >directory. Perhaps that was the source of your problem. Since tiles is
> >driven by the struts action controller it will not be a problem in the
> >web-inf directory.
> >
> >Hope this helps
> >
> >Edgar
> >
> >-----Original Message-----
> >From: Wendy Smoak [mailto:[EMAIL PROTECTED]]
> >Sent: Tuesday, November 19, 2002 5:41 PM
> >To: 'Struts Users Mailing List'
> >Subject: JSP's under WEB-INF... or not
> >
> >
> >
> >Having the jsp files under WEB-INF is nice because I know no one can get
> >to them without going through an action. But it already caused one
> >problem with my style sheet and the images within it.
> >
> >Now I'm about to add tiles to the mix, and I wonder if I'm going to
> >unnecessarily complicate my life by having my jsp's where they don't
> >"officially" belong.
> >
> >I'm wondering if I can get the same effect by putting them in
> >/path/to/tomcat/webapps/my_app/private and then putting a Filter in
> >front of just that directory to keep people from requesting those pages
> >directly.
> >
> >Any comments? Other ideas?
> >
> >--
> >Wendy Smoak
> >Applications Systems Analyst, Sr.
> >Arizona State University PA Information Resources Management
> >
> >
> >--
> >To unsubscribe, e-mail:
> ><mailto:[EMAIL PROTECTED]>
> >For additional commands, e-mail:
> ><mailto:[EMAIL PROTECTED]>
>
>
> _________________________________________________________________
> Add photos to your e-mail with MSN 8. Get 2 months FREE*.
> http://join.msn.com/?page=features/featuredemail
>
>
> --
> To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
_________________________________________________________________
Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
