• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Liutauras Vilda
  • Campbell Ritchie
  • Tim Cooke
  • Bear Bibeault
  • Devaka Cooray
Sheriffs:
  • Jeanne Boyarsky
  • Knute Snortum
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Ganesh Patekar
  • Stephan van Hulst
  • Pete Letkeman
  • Carey Brown
Bartenders:
  • Tim Holloway
  • Ron McLeod
  • Vijitha Kumara

question on security  RSS feed

 
Ranch Hand
Posts: 392
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello Ranchers,

Is security constraint element application only to files outside web-inf, I mean if there is folder myproject/jsp, can I use security const. to secure resources to this folder.
 
Sheriff
Posts: 14691
16
Eclipse IDE Ubuntu VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Is security constraint element application only to files outside web-inf


WEB-INF is by default not accessible, why would you put some security on it ?
 
author and cow tipper
Saloon Keeper
Posts: 4968
1
Hibernate Spring Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Okay, I think I know where you're going here.

If the JSP is in the WEB-INF folder, it can't be accessed, unless it is named in the web.xml file. Then, through the name, you can make it part of the security constraint.

You CAN indeed place a security constraint on a named JSP outside of WEB-INF. You need an alias for the JSP, and the constraint is placed on the ALIAS. When someone calls the JSP using the alias, the constraint is triggered. However, AND HERE IS THE RUB, if someone calls the JSP directly through the URL, the security constraint is not invoked.

Moral of the story? Put those darned JSPs in the WEB-INF if they need to be secured.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!