> One thing you could try is a servlet mapping that sends all requests ending > in that directory that end with .jsp
...all requests FROM that directory that end with ".jsp". Haven't had my coffee yet...... ;-) On Friday 12 December 2003 09:36 am, Ben Souther wrote: > It sounds like Albert wants certain (static) files to be viewable. > He just doesn't want anyone to be able to execute JSPs from this directory. > > One thing you could try is a servlet mapping that sends all requests ending > in that directory that end with .jsp to a servlet that sends back a message > ("FORBIDDEN FILE"). > > <servlet-mapping> > <servlet-name>ForbiddenFileServlet</servlet-name> > <url-pattern>/DIRECTORY_NAME/*.jsp</url-pattern> > </servlet-mapping> > > -Ben > > On Friday 12 December 2003 09:10 am, Tim Funk wrote: > > Ideally, files you don't want to be seen should be placed in WEB-INF. > > > > An alternative is to use a security constraint on the directory that has > > all of the content. This can be done in apache too via the <Location> > > directive. > > > > Another way is to place all those JSP's with a different extension and > > then add the mapping to web.xml. Then add the security contraint for that > > file extension. (Or let apache disallow that file extension) > > > > Forwarding to the default servelt WILL provide a 404 because it is a 404. > > The default servlet gets any request not assigned to any other servlet. > > So if the default servlet find the resource, it returns a 404. > > > > -Tim > > > > Albert Moliner wrote: > > > Hello. > > > > > > I've searched the archives on this subject, but the nearest I've > > > reached has been some posts about not serving static content. It's a > > > bit of a surprise that no one has asked this before, so sorry if it is > > > a recurrent question. > > > > > > I want Tomcat (4) to execute JSPs as usual, but prevent it from running > > > the files that are under a certain directory for security reasons. > > > These files can be published by external people and are supposed to be > > > static, but if some mischievous publisher posts a JSP and it is > > > executed then there can be havoc. > > > > > > Apart from preventing the publishing of files with that extension, is > > > there a possible configuration that can be set up? > > > > > > I've tried mapping requests to that dir to the default servlet in > > > web.xml, but 404 errors are returned (why??), and some other wierd > > > things like using an intermediate servlet that forwards to the default > > > servlet through its named request dispatcher (the forward method does > > > not seem to do anything when using the dault servlet, while any other > > > seems to work) or setting up a separate context for that dir and > > > forward requests to the context, which maps *.jsp to the default > > > context (I'll skip the details), but I can't find the solution... > > > > > > What astonishes me more is that forwarding or mapping to the default > > > servlet does not work, but anyway I must be doing something wrong... > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] -- Ben Souther F.W. Davison & Company, Inc. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]