On Mon, Jun 19, 2017 at 3:09 PM, Mark Thomas <ma...@apache.org> wrote:
> On 19/06/17 08:24, Greg Huber wrote: > > Hello, > > > > If I add a security constrait to block direct access to jsp outside of > > /WEB-INF/ it blocks the welcome-file with a 403. Is there a caveat for > > using this here? > > Your welcome file is invalid. It should be a file name without a path. > Remember it applies to all directories, not just the web application root. > > Security constraints apply to welcome files. > > You'll need to use a servlet to do a forward to "WEB-INF/jsps/index.jsp" > > Mark > > > > > > <!-- Restricts access to pure JSP files - access available only via > Struts > > action --> > > <security-constraint> > > <display-name>No direct JSP access</display-name> > > <web-resource-collection> > > <web-resource-name>No-JSP</web-resource-name> > > <url-pattern>*.jsp</url-pattern> > > </web-resource-collection> > > <auth-constraint> > > <role-name>no-users</role-name> > > </auth-constraint> > > </security-constraint> > > > > <security-role> > > <description>Don't assign users to this role</description> > > <role-name>no-users</role-name> > > </security-role> > > > > <welcome-file-list> > > <welcome-file>WEB-INF/jsps/index.jsp</welcome-file> > > </welcome-file-list> > > > > Cheers Greg > > > > This is what I have done using spring. @RequestMapping(value = { "/", "/login" }) public ModelAndView login(@RequestParam(value = "error", required = false) String error, @RequestParam(value = "logout", required = false) String logout) { ModelAndView modelAndView = new ModelAndView(); modelAndView.setViewName("login"); return modelAndView; } And my login.jsp file resides inside the WEB-INF/jsp/login.jsp In case if you are using spring. ;) > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >