tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Shirk <sh...@ncsa.uiuc.edu>
Subject Protecting JSPs in Tomcat 5
Date Mon, 26 Jul 2004 20:20:36 GMT
In Tomcat 4, I would map request URLs to JSPs and handle the forwarding on 
the server side. Direct user access to JSPs was prevented using the 
following security constraint configuration:

<security-constraint>
   <display-name>JSP Protection</display-name>
   <web-resource-collection>
     <web-resource-name>JSPs</web-resource-name>
     <url-pattern>*.jsp</url-pattern>
     <http-method>DELETE</http-method>
     <http-method>GET</http-method>
     <http-method>POST</http-method>
     <http-method>PUT</http-method>
   </web-resource-collection>
   <auth-constraint>
     <role-name>Administrator</role-name>
   </auth-constraint>
   <user-data-constraint>
     <transport-guarantee>NONE</transport-guarantee>
   </user-data-constraint>
</security-constraint>


This seems to not work with Tomcat 5 as the constraint is applied even 
though no direct request is made by the user. Is this change in behavior 
the result of a spec change? I could find no such clarification.

Thanks for the help.

Andrew 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message