tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Taylor" <rtay...@mulework.com>
Subject RE: [newbie] Container Managed Security - preventing direct accessto .jsp
Date Wed, 15 Dec 2004 13:02:48 GMT
That is exactly how I want to do it. 
In fact, if you look at my original message I describe what you recommend
almost exactly. 

Anyhow, I finally created a VERY simple security example web app with
the following web.xml:

<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
    version="2.4">

   <description>Simple Security Example</description>
   <display-name>Simple Security Example</display-name>

   <welcome-file-list>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>
	<error-page>
        <error-code>403</error-code>
        <location>/403.jsp</location>
    </error-page>
	
	<security-constraint>
      <display-name>Example Security Constraint</display-name>
      <web-resource-collection>
         <web-resource-name>Protected Area</web-resource-name>
         <url-pattern>/secure/*</url-pattern>
      </web-resource-collection>
      <auth-constraint/>

    </security-constraint>

</web-app>

And it work! Yeeehawwww!

Thanks for the help and discussion Ben.

/robert

> -----Original Message-----
> From: Ben Souther [mailto:bsouther@fwdco.com]
> Sent: Tuesday, December 14, 2004 10:35 PM
> To: Tomcat Users List
> Subject: RE: [newbie] Container Managed Security - preventing direct
> accessto .jsp
> 
> 
> > It appears that there is no standard way to do this even though
> > it's implied in the spec.
> 
> I don't know how standard this is but it works.
> The trick is in the auth-constraint node (note the commented out
> role-name).
> Since it is exclusive. Not declaring a role-name for the protected
> resource denies access to everyone.
> 
> You then catch the 403 error with an error page mapping and you're good
> to go.  
> 
> The JSPs can still be accessed from the request dispatcher so you can 
> reach them through the MVC pattern.
> 
> I suppose a simpler solution would be simply to create a
> servelet-mapping with a url pattern of *.jsp and map it to an error
> servlet.
> 
> If you want to test this out quickly grab the  SimpleMVC.war from
> http://simple.souther.us and replace the web.xml file with this one.
> You'd have to create your own no-jsp-4-u.html page.
> 
> Hope it helps
> -Ben
> 
> 
> 
> <?xml version="1.0" encoding="ISO-8859-1"?>
> <web-app xmlns="http://java.sun.com/xml/ns/j2ee"
>     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>     xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
> http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
>     version="2.4">
>                                                                                     
            <servlet>
>   <servlet-name>
>     ControllerServlet 
>   </servlet-name>
>   
>   <servlet-class>
>     us.souther.simple.mvc.ControllerServlet</servlet-class>
>   </servlet>
> 
>   <servlet-mapping>
>     <servlet-name>ControllerServlet</servlet-name>
>     <url-pattern>/simple-mvc</url-pattern>
>   </servlet-mapping>
>  
>   <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>
>         off-limits
>       </web-resource-name>
>       <url-pattern>
>           *.jsp
>       </url-pattern>
>     </web-resource-collection>
>     <auth-constraint>
>       <!--<role-name> manager </role-name>-->
>     </auth-constraint>
>   </security-constraint>
>  
>   <error-page>
>     <error-code>403</error-code>
>     <location>/no-jsp-4-u.html</location>
>   </error-page>
> </web-app>
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message