tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Taylor" <rtay...@mulework.com>
Subject RE: [newbie] Container Managed Security - preventing direct access to .jsp
Date Tue, 14 Dec 2004 20:48:20 GMT
Thanks Hassan. I didn't realize that was added to the 2.4 spec.
Thanks for pointing that out. 

Even so, it would be nice to know how to use CMS to achieve this.

Maybe a better way to form the question would be how do I use
CMS to protect .jsp pages from direct access and return a user
friendly page/message when a .jsp page is requested without going through
the controller?
 

/robert

> -----Original Message-----
> From: Hassan Schroeder [mailto:hassan@webtuitive.com]
> Sent: Tuesday, December 14, 2004 2:21 PM
> To: Tomcat Users List
> Subject: Re: [newbie] Container Managed Security - preventing direct
> access to .jsp
> 
> 
> Robert Taylor wrote:
> 
> > Please let me know if this questions is just too obvious
> > and I'll gladly RTFM...
> 
> See below :-)
> 
> > It just seems like a common idiom to provide a portable mechanism
> > for protecting direct access to .jsp so as to enforce access through
> > some controller. I have in the past placed .jsp files "behind" WEB-INF,
> > but I don't believe that is portable and would like to use CMS to achieve
> > this.
> 
> Given that the Java" Servlet Specification Version 2.4, page 70 sez:
> 
> 	A special directory exists within the application hierarchy
> 	named WEB-INF. This directory contains all things related to
> 	the application that aren't in the document root of the
> 	application. The WEB-INF node is not part of the public
> 	document tree of the application. No file contained in the
> 	WEB-INF directory may be served directly to a client by the
> 	container.
> 
> I don't know how much more "portable" you want it to be :-)
> 
> HTH!
> -- 
> Hassan Schroeder ----------------------------- hassan@webtuitive.com
> Webtuitive Design ===  (+1) 408-938-0567   === http://webtuitive.com
> 
>                            dream.  code.
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message