tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Mitchell" <>
Subject RE: Stopping display of included jsp modules
Date Thu, 16 May 2002 01:11:53 GMT
Have you considered placing your jsp under WEB-INF?

If you are displaying all your jsp as a result of a servlet forward, then
doing this will allow the container to disallow direct access (directly
calling the jsp from the browser) and force all requests to go through your
servlets. (no need to map *.jsp to any servlet to filter/catch)

I do this in all my projects, I use the html base tag, so I can find out
which page the request came from (if needed).  If you do this though, make
sure that all your page links reference from the document root (e.g.
/servletcontext/images/img3.jpg) and same goes for applets, flash files,
included JavaScript and all others.


> -----Original Message-----
> From: Geoff Apps []
> Sent: Wednesday, May 15, 2002 8:49 PM
> To: ''
> Subject: Stopping display of included jsp modules
> In our application all URL requests matching *.abc are directed to our own
> servlet. This servlet processes the request, sets up beans, and
> then forward
> the request to a .jsp page for display.
> We also have requests matching *.js, *.css, and *.gif directed to the
> default servlet to serve  these static resources.
> To enable the processing of jsp pages we also have *.jsp requests being
> directed to the JSP servlet.
> The problem is that we would like *.jsp requests to the container to be
> rejected, but we need the jsp processing to occur when the jsp components
> are forwarded to from the servlet that processes *.abc requests.
> Previously, we used Apache connecting to Tomcat, and we were able to only
> allow *.abc requests through from Apache to Tomcat. (The reason we would
> like to not use Apache is that the load on this application is low and we
> would like to reduce complexity.).
> The issue is that if someone requests a *.jsp resource then the beans
> required to correctly display the page do not exist, or only part
> of a page
> is being displayed.
> A valve looks like a good solution, but the only valve's I have seen are
> associated with IP or Hostname checking. Is it possible to write your own
> valve, or is there a more elegant solution to my problem ?
> Any ideas will be greatly appreciated.
> Regards,
> Geoff
> JBWere Limited and its related entities distributing this
> document and each of their respective directors, officers and
> agents ("the  Were Group") believe that the information contained
> in this document is correct and that any estimates, opinions,
> conclusions or recommendations contained in this document are
> reasonably held or made as at the time of compilation. However,
> no warranty is made as to the accuracy or reliability of any
> estimates, opinions, conclusions, recommendations which may
> change without notice) or other information contained in this
> document and, to the maximum extent permitted by law, the Were
> Group disclaims all liability and responsibility for any direct
> or indirect loss or damage which may be suffered by any recipient
> through relying on anything contained in or omitted from this document.
> --
> To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message