struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Apache Struts Wiki] Updated: StrutsCatalogHidingPagesUnderWEBINF
Date Sat, 01 Jan 2005 18:05:32 GMT
   Date: 2005-01-01T10:05:31
   Editor: DavidKarr
   Wiki: Apache Struts Wiki
   Page: StrutsCatalogHidingPagesUnderWEBINF

   no comment

Change Log:

@@ -19,3 +19,11 @@
 I personally prefer to use filter for hiding pages. I set filter to return 404 on every request
for *.jsp page. I can also change filter to allow for example only index.jsp to pass, but
all other pages to be unavailable. This is IMHO better than relying on container implementation.
 -- IvanRekovic
+Another option for disallowing access to JSPs is simply to add a security-constraint for
the  role "nobody" for "*.jsp".  Unfortunately, it appears you have to add one "url-pattern"
element for every subdirectory.  I don't believe there's any way to specify something like
"**/*.jsp", as in Ant.
+You can even disallow access to JSPs in the root of the app, like "index.jsp".  You might
think this makes it impossible to have a welcome page. However, one "trick" that I believe
should work in all containers is to set your welcome file to "", create a file called
"" in the root (contents are irrelevant), and create an action-mapping for "/".
 This works because the servlet specification states that the named welcome file needs to
exist, but then it hands the URL to the container to serve, which handles it just like any
other URL.
+-- DavidKarr

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message