Mailing-List: contact struts-user-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
Reply-To: struts-user@jakarta.apache.org
Message-ID: <3BB85940.F8D9B194@javelinsoftware.com>
Date: Mon, 01 Oct 2001 07:53:36 -0400
From: Steven Valin <steven.valin@javelinsoftware.com>
MIME-Version: 1.0
To: struts-user@jakarta.apache.org
Subject: Re: security question
References: 
 <45A6414F7738D31195DD0008C75DB92904CA2C2A@ffz00zai.wwz1me.mail.dresdner.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Interesting.  A reply from their tech support indicates that WebLogic 6 still
does not permit this, as do my own tests.

"Khorramrouz, Turaj" wrote:

> Hi Jonathan,
> you don't have the problem with "RequestDispatching to JSPs underneath
> WEB-INF"  in weblogic 5.1 with sp 10 any more.
>
> regards,
>
> Turaj
>
>
> -----Original Message-----
> From: Jonathan M Crater [mailto:jonathan_m_crater@fanniemae.com]
> Sent: Montag, 24. September 2001 17:49
> To: struts-user@jakarta.apache.org
> Subject: security question
>
> i'm using weblogic 5.1, which does not allow RequestDispatching to JSPs
> underneath WEB-INF.  so i'm stuck keeping my JSPs outside WEB-INF.  as a
> result,
> i have to secure requests to both JSPs and actions.  securing the actions is
> just a matter of sub-classing ActionServlet and providing logic to check for
> certain secured paths.  the problem is i don't want to repeat the logic in
> the JSPs--either through a tag library or otherwise.  does anyone have any
> suggestions as to how best to prevent a situation where a user requests a
> JSP page directly when it should have gone through the sub-classed
> ActionServlet?  i was thinking of just setting a request parameter for each
> request as it passes through the ActionServlet.  that way, in the JSP i can
> just test for that value to determine whether the request went through the
> proper channel.  if not, i can redirect to an error page.
>
> thoughts?  suggestions?

--
Steven Valin
steven.valin@javelinsoftware.com