This week's book giveaway is in the Kotlin forum.
We're giving away four copies of Kotlin for Android App Development and have Peter Sommerhoff on-line!
See this thread for details.
Win a copy of Kotlin for Android App Development this week in the Kotlin forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Devaka Cooray
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Junilu Lacar
  • Paul Clapham
  • Knute Snortum
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • salvin francis
  • Carey Brown
Bartenders:
  • Tim Holloway
  • Frits Walraven
  • Ganesh Patekar

question on security  RSS feed

 
Ranch Hand
Posts: 393
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello Ranchers,

Is security constraint element application only to files outside web-inf, I mean if there is folder myproject/jsp, can I use security const. to secure resources to this folder.
 
Sheriff
Posts: 14691
16
Eclipse IDE Ubuntu VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Is security constraint element application only to files outside web-inf


WEB-INF is by default not accessible, why would you put some security on it ?
 
author and cow tipper
Posts: 5000
1
Hibernate Spring Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Okay, I think I know where you're going here.

If the JSP is in the WEB-INF folder, it can't be accessed, unless it is named in the web.xml file. Then, through the name, you can make it part of the security constraint.

You CAN indeed place a security constraint on a named JSP outside of WEB-INF. You need an alias for the JSP, and the constraint is placed on the ALIAS. When someone calls the JSP using the alias, the constraint is triggered. However, AND HERE IS THE RUB, if someone calls the JSP directly through the URL, the security constraint is not invoked.

Moral of the story? Put those darned JSPs in the WEB-INF if they need to be secured.
 
All of the world's problems can be solved in a garden - Geoff Lawton. Tiny ad:
RavenDB is an Open Source NoSQL Database that’s fully transactional (ACID) across your database
https://coderanch.com/t/704633/RavenDB-Open-Source-NoSQL-Database
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!