tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tim Coultas" <tcoul...@helper.com>
Subject Hiding JSPs from Public Access!?!?!
Date Tue, 17 Apr 2001 22:38:42 GMT
Folks -

I have run into the common problem where visitors can get at my jsp files
even though I have set up log-in system of security using a central "traffic
circle" servlet that forwards users to jsp pages.

I have the servlets residing in a directory named jsp under the main context
directory.

However, a visitor can get the jsp pages by going to:

http://www.website.com/context/jsp/filename.jsp

I have tried to cut off access by placing this directory in the WEB-INF
directory, but I can still get to it at the URL above.  Also, I have tried
to just dump all of the .jsp's into the WEB-INF directory (and not place
them in a sub-directory) and I can STILL get to them by at the URL above.

I have also tried to edit the web.xml security section by entering something
like "<url-pattern>/jsp/*</url-pattern>" and
"<url-pattern>/jsp/filename.jsp</url-pattern>" but this does not have any
effect.

How the heck do I do this?????

Has anyone been able to do it?????????

Thanks.

Tim Coultas



Mime
View raw message