struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Timothy Orme <to...@genome.med.harvard.edu>
Subject Re: Disabling JSP's
Date Fri, 15 May 2009 18:46:49 GMT
Ah perfect, I was not aware this was the case. Thanks!

Jim Kiley wrote:
> Put the JSP under /WEB-INF -- it is accessible to Struts routing but not
> directly viewable by end clients.
> jk
> 
> On Fri, May 15, 2009 at 2:36 PM, Timothy Orme
> <torme@genome.med.harvard.edu>wrote:
> 
>> Hello All,
>>
>>        I'm in the process of migrating pages from JSP's using snippets to
>> struts actions. I'm wondering how people have disabled access to JSP's so
>> that they cannot be accessed outside of the action anymore.
>>        Right now if I have an action like:
>>
>>        <action name="ViewIndex" class="action.BaseAction">
>>                <result name="success">/private/index.jsp</result>
>>        </action>
>>
>>        There is nothing preventing the user from just browsing directly to
>> /private/index.jsp instead of accessing it through the Action URL. This
>> could have some bad implications about security, but also might just look
>> bad if a page that should be receiving data from an action no longer has the
>> source.
>>
>>        How have people worked around this in the past?
>>
>> -Tim Orme
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>>
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message