struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Antonio Sánchez <juntandolin...@gmail.com>
Subject Re: Best practice for protecting JSPs
Date Mon, 01 Jul 2013 08:59:03 GMT
Filtering sounds good as well.

Security seems to be a separate concern to struts because it must be mostly 
performed from the outside: web.xml, filtering, maybe Spring Security or other tools, 
etc...

Anyway I have missed some guidance in the documentation: feature request?

Also, I guess that security features are out of scope, is that right? Perhaps some 
support for standard use cases, like user login, would help. 



El Lunes, 1 de julio de 2013 09:44:35 Antonios Gkogkakis escribió:
> What we've done is to create a filter (implement javax.servlet.Filter and
> define it in web.xml )
> and if the resource uri ends with .jsp we return an http 403 error.
> 
> Antonios
> 
> On 1 July 2013 09:38, Lukasz Lenart <lukaszlenart@apache.org> wrote:
> > 2013/7/1 Antonio Sánchez <juntandolineas@gmail.com>:
> > > I need to protect JSPs. Some options:
> > > 
> > > 1. Put JSPs under WEB-INF and, optionally, use the conventions plugin.
> > > 
> > > 2. Declare authorization constraints in web.xml.
> > 
> > These two options are the best to avoid direct access to JSPs - not
> > all containers block access to resources in WEB-INF and fake auth
> > constraints will sole that problem and it's an ultimate solution.
> > 
> > 
> > Regards
> > --
> > Łukasz
> > + 48 606 323 122 http://www.lenart.org.pl/
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org

Mime
  • Unnamed multipart/alternative (inline, 7-Bit, 0 bytes)
View raw message