tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thomas Jones" <>
Subject Re: Restricting access to certain type of files
Date Thu, 12 Jul 2001 02:32:03 GMT
There are several ways to do this, one that I have found effective is the

In the servlet, right before the RequestDispatcher.include set an attribute
on the request object.  It is important to set an attribute and not a
session variable.  At the top of the include for the JSP file, check for the
set attribute.  If the attribute exists then you know the request came from
your servlet.  If it does not exists then you can forward to some error page
as appropriate.


Thomas Jones

----- Original Message -----
From: "Nicolas Moldavsky" <>
To: <>
Sent: Tuesday, July 10, 2001 4:33 PM
Subject: Restricting access to certain type of files

> We have developed an application using JBoss and Tomcat 3.2.1 and we need
> to restrict access to .jsp files which are used as includes.  We use files
> like header.jsp and footer.jsp which are included from servlets, but we
> don't want users to be able to access /header.jsp without going through
> the servlet.  All the JSP files are executed from servlets and none should
> be accessed directly.  I've tried removing the mapping for the .jsp
> extension in web.xml but nothing changed.  Is there an easy way to deny
> access to all .jsp URLs, but which will still allow includes from inside
> servlets to work?
> I.e, something like this:
> <FilesMatch "\.jsp$">
> deny from all
> </FilesMatch>
> Thanks,
> Nicolas Moldavsky

View raw message