Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

question on security

 
Nikhil Jain
Ranch Hand
Posts: 392
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello Ranchers,

Is security constraint element application only to files outside web-inf, I mean if there is folder myproject/jsp, can I use security const. to secure resources to this folder.
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE Ubuntu VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Is security constraint element application only to files outside web-inf

WEB-INF is by default not accessible, why would you put some security on it ?
 
Cameron Wallace McKenzie
author and cow tipper
Saloon Keeper
Posts: 4968
1
Hibernate Spring Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Okay, I think I know where you're going here.

If the JSP is in the WEB-INF folder, it can't be accessed, unless it is named in the web.xml file. Then, through the name, you can make it part of the security constraint.

You CAN indeed place a security constraint on a named JSP outside of WEB-INF. You need an alias for the JSP, and the constraint is placed on the ALIAS. When someone calls the JSP using the alias, the constraint is triggered. However, AND HERE IS THE RUB, if someone calls the JSP directly through the URL, the security constraint is not invoked.

Moral of the story? Put those darned JSPs in the WEB-INF if they need to be secured.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic