Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

how to block direct access to jsp files?

 
david chan
Ranch Hand
Posts: 46
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I have this web.xml config works in tomcat, but doesn't work in WSAD 4.0.3 test environment. I wonder what need to set for WSAD. What I want is block the user direct access to jsp files, all content will be served by Struts action class.
here is my config on web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>blockJSPDirectAccess</web-resource-name>
<description>to block JSP direct access</description>
<url-pattern>*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name></role-name>
</auth-constraint>
</security-constraint>
 
David Hibbs
Ranch Hand
Posts: 374
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
From Ted Husted's struts design catalog (http://husted.com/struts/catalog.html), he advises putting all jsp files under WEB-INF/ and letting the servlet container protect them. To be honest, though, I haven't had the chance to try it since I saw this description. Maybe some time this week...
[ June 19, 2003: Message edited by: David Hibbs ]
 
Vinod Bijlani
Ranch Hand
Posts: 133
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
try this
IN plugin-cfg.xml,
<AffinityURLIdentifier="jsessionid" Name="/urappuri/*.do"/>
instead of /urappuri/* put /urappuri/*.do
[ June 21, 2003: Message edited by: Vinod Bijlani ]
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic