tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "CPC Livelink Admin" <cpclv...@fitzpatrick.cc>
Subject RE: posting to servlets from a url
Date Thu, 07 Dec 2000 05:55:50 GMT

Well, then I think your next best bet is in the Tomcat 4.0 release which has
the new Filter and Valve features. My only knowledge of these is from one of
Craig McLanahan's posts, but if you check the spec, it will probably
describe them in detail.  My understanding, is that these would allow you to
do exactly what you want - however, I don't know if you can wait that long
or if you are able to use the 4.0 milestone builds in your environment.

I think your next best bet is to disable the /servlet/ auto-mapping (I
believe this is a tomcat extention) which should prohibit access to the
stuff in WEB-INF/classes and lib (but sill allows access to all JSPs). Then
have all access to your servlets be through inclusion or direct execution.
I am not sure of the rules for direct executition so you may want to refer
to the spec to see if that is allowed.

Regards,
Paul


-----Original Message-----
From: John de la Garza [mailto:jdelagarza@designinsites.com]
Sent: Wednesday, December 06, 2000 08:20 PM
To: tomcat-user@jakarta.apache.org
Subject: RE: posting to servlets from a url


Yea, that is what I am currently doing...can't the server container handle
that for me?

Like only let the server posted or get from the servlets?

I wanted to avoid putting security code in every servlet, one by one.

-----Original Message-----
From: CPC Livelink Admin [mailto:cpclvlnk@fitzpatrick.cc]
Sent: Wednesday, December 06, 2000 5:16 PM
To: tomcat-user@jakarta.apache.org; jdelagarza@designinsites.com
Subject: RE: posting to servlets from a url



You could implement a simple locking mechanism.  When you are about to
access one of your classes, set a session or request scoped bean or session
variable, and then in your servlets, check for that object, and then remove
it.

-----Original Message-----
From: John de la Garza [mailto:jdelagarza@designinsites.com]
Sent: Wednesday, December 06, 2000 05:04 PM
To: Tomcat-Users (E-mail)
Subject: posting to servlets from a url


Is there some way I can make my server not allow users to type in URL's
directly to servlets in the WEB-INF/classes directory?

I only want these servlets to be accessed by my own jsp pages on my server.





Mime
View raw message