Hi Mark Thanks for taking the time to reply. :-)
cjb> Due to security concerns and general fussiness on my part, I'd like cjb> to prevent users from requesting JSP pages directly [...]. That cjb> way I can legitimately claim that all requests are being validated, cjb> input scrubbed, JSP's cannot be taken advantage of w/o their cjb> servlet chaperones being present, etc. mt> I'm struggling to understand what risks exists with JSPs that don't mt> with Servlets. After all, a JSP is just an alternative way to write mt> a Servlet. Tomcat translates the .jsp file to the .java source for a mt> servlet, compiles it and runs it. mt> Can you elaborate? See Chris Shultz's reply about MVC. He pretty much nailed it. For me, it's a twofold combination of (a) security concerns and (b) separation of responsibilities. a. Security - shrink the attack surface. b. Separation of duties - I want the JSP's to simply render pages and the non-JSP servlets to do all the heavy lifting. -- Cris Berneburg, Lead Software Engineer CACI, IRMA Project phone: 703-679-5313 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
