Return-Path: X-Original-To: apmail-struts-user-archive@www.apache.org Delivered-To: apmail-struts-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 8EC2D10239 for ; Mon, 1 Jul 2013 08:45:32 +0000 (UTC) Received: (qmail 74330 invoked by uid 500); 1 Jul 2013 08:45:26 -0000 Delivered-To: apmail-struts-user-archive@struts.apache.org Received: (qmail 74175 invoked by uid 500); 1 Jul 2013 08:45:26 -0000 Mailing-List: contact user-help@struts.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Struts Users Mailing List" Reply-To: "Struts Users Mailing List" Delivered-To: mailing list user@struts.apache.org Received: (qmail 73266 invoked by uid 99); 1 Jul 2013 08:45:24 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 01 Jul 2013 08:45:24 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW X-Spam-Check-By: apache.org Received-SPF: error (nike.apache.org: local policy) Received: from [209.85.220.50] (HELO mail-pa0-f50.google.com) (209.85.220.50) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 01 Jul 2013 08:45:17 +0000 Received: by mail-pa0-f50.google.com with SMTP id fb1so4780350pad.37 for ; Mon, 01 Jul 2013 01:44:35 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:x-gm-message-state; bh=ogQ87VyYcvTn5PXQWG1SZDVUuLztLPr5FADFwyDY0Uk=; b=f9SQtYcs7eqv1SgAA7t6I8v0qCyMmHU5IFbOtZzL8rFWRFBmLnangBAYcmH3Bro5Gf tr/rDnZiHo/I4R/BR5F20M7B5FpoFgWKWKQ4hZzs4sRO4ioc4+4zeJIyirkyhwxI+38P BL3QlUREchviXy1bdzGblYnndI02Ax563yf0S2oErA0tulLlw67Bv1ubw/bOeCbZlf9t eQTQlBFscvhxO6QD9VUlTihVYoTl/vvf1f5xseQbPLfiPxbI0LnKQ89wmXSXkwyBXz4s q+vgQd+JnJrpuF3cZj/ZPxR34rU9Sf1TZe60Q9k5SGGZ1XjnrMAZePNm5yk5cHi1KJPP ybQQ== MIME-Version: 1.0 X-Received: by 10.67.1.33 with SMTP id bd1mr23078712pad.75.1372668275631; Mon, 01 Jul 2013 01:44:35 -0700 (PDT) Received: by 10.68.132.135 with HTTP; Mon, 1 Jul 2013 01:44:35 -0700 (PDT) In-Reply-To: References: <2665071.IgMOF9afVe@caridad> Date: Mon, 1 Jul 2013 09:44:35 +0100 Message-ID: Subject: Re: Best practice for protecting JSPs From: Antonios Gkogkakis To: Struts Users Mailing List Content-Type: multipart/alternative; boundary=047d7b15b307f6bd4604e06f3c4c X-Gm-Message-State: ALoCoQnVNNkm4TeBvCupNbOi140ZOCbGyfhIBSiPP7tCJvPYk8vvcm4FGaqWiW8jkRaHf4j4rw0r X-Virus-Checked: Checked by ClamAV on apache.org --047d7b15b307f6bd4604e06f3c4c Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable What we've done is to create a filter (implement javax.servlet.Filter and define it in web.xml ) and if the resource uri ends with .jsp we return an http 403 error. Antonios On 1 July 2013 09:38, Lukasz Lenart wrote: > 2013/7/1 Antonio S=C3=A1nchez : > > I need to protect JSPs. Some options: > > > > 1. Put JSPs under WEB-INF and, optionally, use the conventions plugin. > > > > 2. Declare authorization constraints in web.xml. > > These two options are the best to avoid direct access to JSPs - not > all containers block access to resources in WEB-INF and fake auth > constraints will sole that problem and it's an ultimate solution. > > > Regards > -- > =C5=81ukasz > + 48 606 323 122 http://www.lenart.org.pl/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org > For additional commands, e-mail: user-help@struts.apache.org > > > --047d7b15b307f6bd4604e06f3c4c--