Win a copy of Spring in Action (5th edition) this week in the Spring forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Devaka Cooray
  • Liutauras Vilda
  • Jeanne Boyarsky
Sheriffs:
  • Knute Snortum
  • Junilu Lacar
  • paul wheaton
Saloon Keepers:
  • Ganesh Patekar
  • Frits Walraven
  • Tim Moores
  • Ron McLeod
  • Carey Brown
Bartenders:
  • Stephan van Hulst
  • salvin francis
  • Tim Holloway

question on security  RSS feed

 
Ranch Hand
Posts: 393
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello Ranchers,

Is security constraint element application only to files outside web-inf, I mean if there is folder myproject/jsp, can I use security const. to secure resources to this folder.
 
Sheriff
Posts: 14691
16
Eclipse IDE Ubuntu VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Is security constraint element application only to files outside web-inf


WEB-INF is by default not accessible, why would you put some security on it ?
 
author and cow tipper
Posts: 4968
1
Hibernate Spring Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Okay, I think I know where you're going here.

If the JSP is in the WEB-INF folder, it can't be accessed, unless it is named in the web.xml file. Then, through the name, you can make it part of the security constraint.

You CAN indeed place a security constraint on a named JSP outside of WEB-INF. You need an alias for the JSP, and the constraint is placed on the ALIAS. When someone calls the JSP using the alias, the constraint is triggered. However, AND HERE IS THE RUB, if someone calls the JSP directly through the URL, the security constraint is not invoked.

Moral of the story? Put those darned JSPs in the WEB-INF if they need to be secured.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!