tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: Stopping external access to jsp files
Date Sun, 15 Jun 2003 01:42:42 GMT
The easiest way is to simply put the JSP pages that you want to deny direct
access to someplace under the WEB-INF directory.  Direct access to anything
under this if forbidden, but your controller is still allowed to forward or

A less good solution is to specify a security-constraint for these pages
that requires the role, say 'forbidden' (that no user actually has).  The
drawback of this is that the user will be asked to login before being denied
access to the page.  Of course, if your goal is to annoy hackers, you might
even prefer this one ;-).

"Lee W" <> wrote in message
> Hi Everyone,
> After some good advise from members of this lists (thanks again) I have
> started learning about servlets.
> I have created a simple servlet that act as a controller in my webapp,
> this is where all requests get sent to.  However I have not been able to
> find a way to stop users from getting to the .jsp files that the servlet
> uses for the presentation element.
> I know that I could use Tomcat along with Apache HTTP server to restrict
> access to the JSP pages but I was wondering if anyone knew how to
> specify in the web.xml file that users should not be able to get to the
> jsp's but the servlets (and  jsp's can access other jsp's via include or
> forward).  My reading of the docs on the tomcat website and by STW have
> not yielded any suggestions.
> Thanks again.
> Regards
> Lee

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message