Maybe I'm not fully understanding the request but can't you create a Security Folder and list out only the JSPs that you want to allow the users access to? My application is a third party application so I didn't develop it but they use a folder that has a list of .jsps that I can access so I assume they have set it up in the code.
Or am I just telling you the end state that you want to achieve without actually coding suggesting any coding for you? Thanks, Louis -----Original Message----- From: David Wall [mailto:d.w...@computer.org] Sent: Thursday, August 16, 2018 2:27 PM To: users@tomcat.apache.org Subject: Re: how to prevent user access to JSP pages? - - - external message, proceed with caution - - - I'll be curious to see the answers. JSPs are servlets. For us, the common way would be for your non-JSP servlets to authenticate the request (and save the results in the request), and then your JSPs can check if the request has been authenticated before progressing further. Of course, if it's just a login check, you can save the results of the authentication in the session, and when missing, redirect to your login. On 8/16/18 10:19 AM, Berneburg, Cris J. - US wrote: > Due to security concerns and general fussiness on my part, I'd like to > prevent users from requesting JSP pages directly, except for the login page. > I want all requests to be handled by servlets. That way I can legitimately > claim that all requests are being validated, input scrubbed, JSP's cannot be > taken advantage of w/o their servlet chaperones being present, etc. > > a. One way I read is by adding a <security-constraint> for each folder. One > use case is for JSP include files. That looks possible but makes it seem > like these are exceptions and not the rule. I want "deny, deny, deny" to be > the default and the one or 2 allowable JSP pages to be the exception. > > b. Another way mentioned is by having most of the JSP files under the WEB-INF > folder. That way the users don't have access to the JSP's but the servlets > do. My understanding is a little wobbly here, because I can't conceptualize > the virtual path for files under WEB-INF when sending a response. (See line > of code below.) Also, that would require moving most of the JSP files. > >> request.getRequestDispatcher("folder/file.jsp"); // what about WEB-INF? > Is there a "smart" way of doing this? Perhaps it would have been prudent to > organize the JSP folders "properly" in the first place, but we're way beyond > that now. > > Got any comments, suggestions, advice? > > Thanks. :-) > > -- > Cris Berneburg > CACI Lead Software Engineer > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------- CONFIDENTIALITY NOTICE: This message is for intended addressee(s) only and may contain information that is confidential, proprietary or exempt from disclosure. If you are not the intended recipient, please contact the sender immediately. Unauthorized use or distribution is prohibited and may be unlawful. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
