tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Souther <bsout...@fwdco.com>
Subject RE: [newbie] Container Managed Security - preventing direct access to .jsp
Date Wed, 15 Dec 2004 03:34:55 GMT
> It appears that there is no standard way to do this even though
> it's implied in the spec.

I don't know how standard this is but it works.
The trick is in the auth-constraint node (note the commented out
role-name).
Since it is exclusive. Not declaring a role-name for the protected
resource denies access to everyone.

You then catch the 403 error with an error page mapping and you're good
to go.  

The JSPs can still be accessed from the request dispatcher so you can 
reach them through the MVC pattern.

I suppose a simpler solution would be simply to create a
servelet-mapping with a url pattern of *.jsp and map it to an error
servlet.

If you want to test this out quickly grab the  SimpleMVC.war from
http://simple.souther.us and replace the web.xml file with this one.
You'd have to create your own no-jsp-4-u.html page.

Hope it helps
-Ben



<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
    version="2.4">
                                                                                         
       <servlet>
  <servlet-name>
    ControllerServlet 
  </servlet-name>
  
  <servlet-class>
    us.souther.simple.mvc.ControllerServlet</servlet-class>
  </servlet>

  <servlet-mapping>
    <servlet-name>ControllerServlet</servlet-name>
    <url-pattern>/simple-mvc</url-pattern>
  </servlet-mapping>
 
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>
        off-limits
      </web-resource-name>
      <url-pattern>
          *.jsp
      </url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <!--<role-name> manager </role-name>-->
    </auth-constraint>
  </security-constraint>
 
  <error-page>
    <error-code>403</error-code>
    <location>/no-jsp-4-u.html</location>
  </error-page>
</web-app>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message