- Precompile the jsp source to .class files. Then remove the jsp source from the binary dist.
- Introduce a token that's created in the controller servlet and removed in the jsp. If it doesn't exist when the jsp starts processing, the client made a direct access and the jsp can then do an internal forward to the controller or error page.
- Write a filter to watch for direct jsp access and handle it.
- Have the jsp analyze the request to determine whether it was called directly or via the internal forward mechanism and then do something about it.
The first one is a must if you are worried about the client getting the jsp source somehow. The remaining three would help take care of the case where the jsp needs some data from the controller and will die a horrible death without it. I don't have code to share for these suggestions -- just trying to give you some ideas to work with.
--David
Robert Taylor wrote:
I'm not trying to re-invent anything. I'm just trying to leverage the specification to secure resources.
Personally I prefer WEB-INF to contain web application configuration and information resources instead of content and other non-configuration resources. IMHO, its intuitive that way.
For anyone else that may even be remotely interested in this topic, some further googling produced some interesting results. I searched using the string:
"preventing direct access to .jsp files"
It appears that there is no standard way to do this even though it's implied in the spec.
Here's a good example: http://forums.bea.com/bea/message.jspa?messageID=202433201
Oh well...
/robert
-----Original Message----- From: Hassan Schroeder [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 14, 2004 5:55 PM To: Tomcat Users List Subject: Re: [newbie] Container Managed Security - preventing direct access to .jsp
Robert Taylor wrote:
Does this not imply that I can do what I am trying to do?
I suppose; I'm just baffled why you want to reinvent this particular built-in wheel, but don't let that stop you :-)
-- Hassan Schroeder ----------------------------- [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com
dream. code.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]