> One thing you could try is a servlet mapping that sends all requests ending
> in that directory that end with .jsp
...all requests FROM that directory that end with ".jsp".
Haven't had my coffee yet...... ;-)
On Friday 12 December 2003 09:36 am, Ben Souther wrote:
> It sounds like Albert wants certain (static) files to be viewable.
> He just doesn't want anyone to be able to execute JSPs from this directory.
>
> One thing you could try is a servlet mapping that sends all requests ending
> in that directory that end with .jsp to a servlet that sends back a message
> ("FORBIDDEN FILE").
>
> <servlet-mapping>
> <servlet-name>ForbiddenFileServlet</servlet-name>
> <url-pattern>/DIRECTORY_NAME/*.jsp</url-pattern>
> </servlet-mapping>
>
> -Ben
>
> On Friday 12 December 2003 09:10 am, Tim Funk wrote:
> > Ideally, files you don't want to be seen should be placed in WEB-INF.
> >
> > An alternative is to use a security constraint on the directory that has
> > all of the content. This can be done in apache too via the <Location>
> > directive.
> >
> > Another way is to place all those JSP's with a different extension and
> > then add the mapping to web.xml. Then add the security contraint for that
> > file extension. (Or let apache disallow that file extension)
> >
> > Forwarding to the default servelt WILL provide a 404 because it is a 404.
> > The default servlet gets any request not assigned to any other servlet.
> > So if the default servlet find the resource, it returns a 404.
> >
> > -Tim
> >
> > Albert Moliner wrote:
> > > Hello.
> > >
> > > I've searched the archives on this subject, but the nearest I've
> > > reached has been some posts about not serving static content. It's a
> > > bit of a surprise that no one has asked this before, so sorry if it is
> > > a recurrent question.
> > >
> > > I want Tomcat (4) to execute JSPs as usual, but prevent it from running
> > > the files that are under a certain directory for security reasons.
> > > These files can be published by external people and are supposed to be
> > > static, but if some mischievous publisher posts a JSP and it is
> > > executed then there can be havoc.
> > >
> > > Apart from preventing the publishing of files with that extension, is
> > > there a possible configuration that can be set up?
> > >
> > > I've tried mapping requests to that dir to the default servlet in
> > > web.xml, but 404 errors are returned (why??), and some other wierd
> > > things like using an intermediate servlet that forwards to the default
> > > servlet through its named request dispatcher (the forward method does
> > > not seem to do anything when using the dault servlet, while any other
> > > seems to work) or setting up a separate context for that dir and
> > > forward requests to the context, which maps *.jsp to the default
> > > context (I'll skip the details), but I can't find the solution...
> > >
> > > What astonishes me more is that forwarding or mapping to the default
> > > servlet does not work, but anyway I must be doing something wrong...
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
--
Ben Souther
F.W. Davison & Company, Inc.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
