Fair enough. When I mention Container Managed Security, I am refering to using security constraints defined in web.xml to prevent direct access to resources.
More specifically in Section 12.8 of the 2.4 specification: Security constraints are a declarative way of defining the protection of web content. A security constraint associates authorization and or user data constraints with HTTP operations on web resources. A security constraint, which is represented by security-constraint in deployment descriptor, consists of the following elements: • web resource collection (web-resource-collection in deployment descriptor) • authorization constraint (auth-constraint in deployment descriptor) • user data constraint (user-data-constraint in deployment descriptor) The HTTP operations and web resources to which a security constraint applies (i.e. the constrained requests) are identified by one or more web resource collections. A web resource collection consists of the following elements: • URL patterns (url-pattern in deployment descriptor) • HTTP methods (http-method in deployment descriptor) An authorization constraint establishes a requirement for authentication and names the authorization roles permitted to perform the constrained requests. A user must be a member of at least one of the named roles to be permitted to perform the constrained requests. The special role name “*” is a shorthand for all role names defined in the deployment descriptor. An authorization constraint that names no roles indicates that access to the constrained requests must not be permitted under any circumstances. Does this not imply that I can do what I am trying to do? /robert > -----Original Message----- > From: Hassan Schroeder [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 14, 2004 5:07 PM > To: Tomcat Users List > Subject: Re: [newbie] Container Managed Security - preventing direct > access to .jsp > > > Robert Taylor wrote: > > I didn't realize that was added to the 2.4 spec. > > It was in 2.3, too. I'd guess it was in the spec from the get-go, > but don't have an older copy to hand to confirm. > > > Even so, it would be nice to know how to use CMS to achieve this. > > What is your definition of "Container Managed Security", then, if > not this? The container prevents direct access to the resources > placed within WEB-INF, without you having to do anything else. > > > Maybe a better way to form the question would be how do I use > > CMS to protect .jsp pages from direct access > > as above. > > and return a user > > friendly page/message when a .jsp page is requested without going through > > the controller? > > A custom 404 page should take care of it. And you can get as fancy > with that as you like :-) > > FWIW! > -- > Hassan Schroeder ----------------------------- [EMAIL PROTECTED] > Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com > > dream. code. > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
