struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David G. Friedman" <hum...@ix.netcom.com>
Subject RE: Blocking direct access to JSPs
Date Sat, 29 Jan 2005 15:20:25 GMT
Frank,

I agree with you when a JSP is just a template.  However, may people mix
JSP's with scriplets and other code nibblets.  Having items such as those as
publicly accessible can cause security and functionality issues.  Luckily, I
myself haven't needed to put scriptlets in my JSP's though I still put my
JSP's, used as (tiles) display templates, under /WEB-INF/pages.

Regards,
One "David"'s $0.02 worth

-----Original Message-----
From: Frank W. Zammetti [mailto:fzlists@omnytex.com]
Sent: Saturday, January 29, 2005 9:07 AM
To: Struts Users Mailing List
Subject: Re: Blocking direct access to JSPs


My argument against it is that WEB-INF is meant to be configuration
information and "support files", and while I agree with viewing JSPs as
templates, I don't view them as support files either.  Let me put it
another way... WEB-INF should be things that are not
application-specific, except for configuration files and libraries.

Also, if a JSP is just a template, surely it won't work without
something on the server having been executed, right?  Therefore, what's
the harm if it's exposed anyway?  I suppose you could argue you wouldn't
even want to expose a stack trace, but it depends how far you want to
carry the argument.  Of course, you could always do:

<% if (request.getAttribute("cameFromServer") != null) { %>
// The page here
<% } %>

Sure, it requires two lines in all JSPs, but it should solve the problem.

Anyway, it's just my feeling on it.

--
Frank W. Zammetti
Founder and Chief Software Architect
Omnytex Technologies
http://www.omnytex.com

William Stranathan wrote:
> We had this discussion a lot last week, and it seems to be somewhat
> divided on whether JSP's belong in WEB-INF.  What was your compelling
> argument AGAINST it?
>
> My compelling argument FOR it has always been that WEB-INF is where
> application artifacts that are not complete web artifacts belong.  When
> writing in Struts (pseudo-MVC er Model II or whatever you like to call
> it), JSP is NOT web-ready - it's only template data - just like if you
> had an email template that had the blanks filled in.
>
> Of course, I don't put my JSP's DIRECTLY under WEB-INF - usually have
> them broken out by the type of template - web, mobile, email, etc.
>
> w
>
> Tim Christopher wrote:
>
>> Hi,
>>
>> I would like to block direct access to jsp files, and from what I've
>> read the best practice appears to be setting a security-constraint
>> within the web.xml file.  (As opposed to storing all *.jsp files
>> within the WEB-INF folder, though please correct me if that's wrong).
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>
>
>




---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message