Re: [newbie] Container Managed Security - preventing direct access to .jsp

Wed, 15 Dec 2004 06:48:17 -0800

I get what you are trying to do. I could be wrong, but the spec seems written more towards protecting data from unauthorized users rather than protecting jsp files from direct client access. Here are some suggestions I thought of:

- Precompile the jsp source to .class files. Then remove the jsp source from the binary dist.

- Introduce a token that's created in the controller servlet and removed in the jsp. If it doesn't exist when the jsp starts processing, the client made a direct access and the jsp can then do an internal forward to the controller or error page.

- Write a filter to watch for direct jsp access and handle  it.

- Have the jsp analyze the request to determine whether it was called directly or via the internal forward mechanism and then do something about it.

The first one is a must if you are worried about the client getting the jsp source somehow. The remaining three would help take care of the case where the jsp needs some data from the controller and will die a horrible death without it. I don't have code to share for these suggestions -- just trying to give you some ideas to work with.

--David


Robert Taylor wrote:

I'm not trying to re-invent anything. I'm just trying to leverage the specification to secure resources.

Personally I prefer WEB-INF to contain web application
configuration and information resources instead of content
and other non-configuration resources. IMHO, its intuitive that
way.

For anyone else that may even be remotely interested in this
topic, some further googling produced some interesting results.
I searched using the string:

    "preventing direct access to .jsp files"

It appears that there is no standard way to do this even though
it's implied in the spec.

Here's a good example:
http://forums.bea.com/bea/message.jspa?messageID=202433201

Oh well...

/robert



-----Original Message-----
From: Hassan Schroeder [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 14, 2004 5:55 PM
To: Tomcat Users List
Subject: Re: [newbie] Container Managed Security - preventing direct
access to .jsp


Robert Taylor wrote:



Does this not imply that I can do what I am trying to do?


I suppose; I'm just baffled why you want to reinvent this particular
built-in wheel, but don't let that stop you :-)

--
Hassan Schroeder ----------------------------- [EMAIL PROTECTED]
Webtuitive Design ===  (+1) 408-938-0567   === http://webtuitive.com

                          dream.  code.



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to