tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Shirk <sh...@ncsa.uiuc.edu>
Subject Re: Protecting JSPs in Tomcat 5
Date Mon, 26 Jul 2004 21:22:27 GMT
Please disregard my previous post. I

Thank you.


At 03:20 PM 7/26/2004, you wrote:
>In Tomcat 4, I would map request URLs to JSPs and handle the forwarding on 
>the server side. Direct user access to JSPs was prevented using the 
>following security constraint configuration:
>
><security-constraint>
>   <display-name>JSP Protection</display-name>
>   <web-resource-collection>
>     <web-resource-name>JSPs</web-resource-name>
>     <url-pattern>*.jsp</url-pattern>
>     <http-method>DELETE</http-method>
>     <http-method>GET</http-method>
>     <http-method>POST</http-method>
>     <http-method>PUT</http-method>
>   </web-resource-collection>
>   <auth-constraint>
>     <role-name>Administrator</role-name>
>   </auth-constraint>
>   <user-data-constraint>
>     <transport-guarantee>NONE</transport-guarantee>
>   </user-data-constraint>
></security-constraint>
>
>
>This seems to not work with Tomcat 5 as the constraint is applied even 
>though no direct request is made by the user. Is this change in behavior 
>the result of a spec change? I could find no such clarification.
>
>Thanks for the help.
>
>Andrew
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message