On Mon, Jun 19, 2017 at 3:09 PM, Mark Thomas <ma...@apache.org> wrote:
> On 19/06/17 08:24, Greg Huber wrote:
> > Hello,
> >
> > If I add a security constrait to block direct access to jsp outside of
> > /WEB-INF/ it blocks the welcome-file with a 403. Is there a caveat for
> > using this here?
>
> Your welcome file is invalid. It should be a file name without a path.
> Remember it applies to all directories, not just the web application root.
>
> Security constraints apply to welcome files.
>
> You'll need to use a servlet to do a forward to "WEB-INF/jsps/index.jsp"
>
> Mark
>
>
> >
> > <!-- Restricts access to pure JSP files - access available only via
> Struts
> > action -->
> > <security-constraint>
> > <display-name>No direct JSP access</display-name>
> > <web-resource-collection>
> > <web-resource-name>No-JSP</web-resource-name>
> > <url-pattern>*.jsp</url-pattern>
> > </web-resource-collection>
> > <auth-constraint>
> > <role-name>no-users</role-name>
> > </auth-constraint>
> > </security-constraint>
> >
> > <security-role>
> > <description>Don't assign users to this role</description>
> > <role-name>no-users</role-name>
> > </security-role>
> >
> > <welcome-file-list>
> > <welcome-file>WEB-INF/jsps/index.jsp</welcome-file>
> > </welcome-file-list>
> >
> > Cheers Greg
> >
>
> This is what I have done using spring.
@RequestMapping(value = { "/", "/login" })
public ModelAndView login(@RequestParam(value = "error", required =
false) String error,
@RequestParam(value = "logout", required = false) String
logout) {
ModelAndView modelAndView = new ModelAndView();
modelAndView.setViewName("login");
return modelAndView;
}
And my login.jsp file resides inside the WEB-INF/jsp/login.jsp
In case if you are using spring. ;)
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
