On 8/17/2018 8:52 AM, Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 8/17/18 3:54 AM, Mark Thomas wrote:
On 16/08/18 18:19, Berneburg, Cris J. - US wrote:
Due to security concerns and general fussiness on my part, I'd
like to prevent users from requesting JSP pages directly, except
for the login page. I want all requests to be handled by
servlets. That way I can legitimately claim that all requests
are being validated, input scrubbed, JSP's cannot be taken
advantage of w/o their servlet chaperones being present, etc.
I'm struggling to understand what risks exists with JSPs that don't
with Servlets. After all, a JSP is just an alternative way to write
a Servlet. Tomcat translates the .jsp file to the .java source for
a servlet, compiles it and runs it.
Can you elaborate?
JSP support for input validation, etc. is basically non-existent. I'm
sure someone has a crappy library that can do it, and yes, you can
implement everything in JSP using miles of tag libraries and stuff
like that, but in the application world, that's a serious no-no.
MVC (or some version of it, under various names) is the "proper" way
to build software, and JSPs are relegated to the "V" portion of that
paradigm.
Once you have decided that JSPs are squarely in the "V" category, it's
no longer appropriate for them to be treated as "C" components and
therefore they should not be accessed directly. Protecting them from
direct-access is a reasonable decision for a number of reasons,
including security if you have pages that cough-up sensitive
information under the assumption that authentication and authorization
requirements have previously been satisfied.
Sure, the container's authentication and authorization should be able
to protect those JSPs just fine, but the application may have other
controls in place that also need to sanity-check things before the JSP
takes over.
So, while there isn't anything particularly "dangerous" about
direct-access to JSPs, there are a number of "best practices" that
suggest that hiding them is a good idea.
I hope that helps explain Cris's (likely) reasoning a little more.
- -chris
As far as I know, there is no input validation that can be performed in
servlets that can't also be performed in JSP pages using the same Java
code. Also, I'm not aware of any functional limitation that prevents
JSP pages (classes) from being used as controllers. As I understand
them, JSPs can do anything that can be done in servlets and offer
additional facilities and ease-of-use. They may be thought of as
view-generators only but I don't think that's a functional limitation.
Could a servlet filter be used to reject external requests for JSP pages?
-Terence Bandoian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
