tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis Payne" <DEN...@mtctrains.com>
Subject Re: [newbie] Container Managed Security - preventing direct access to .jsp
Date Tue, 14 Dec 2004 21:03:16 GMT
I have not run into that kind of problem before... typically if you hit
a JSP without hitting its controller first you will just get nothing (an
HTML screen with no data).  when it gets routed back to the controller,
it will then register a failure due to lack of data.  Problem solved.

>>> hassan@webtuitive.com 12-14-2004 12:20 >>>
Robert Taylor wrote:

> Please let me know if this questions is just too obvious
> and I'll gladly RTFM...

See below :-)

> It just seems like a common idiom to provide a portable mechanism
> for protecting direct access to .jsp so as to enforce access through
> some controller. I have in the past placed .jsp files "behind"
WEB-INF,
> but I don't believe that is portable and would like to use CMS to
achieve
> this.

Given that the Java" Servlet Specification Version 2.4, page 70 sez:

	A special directory exists within the application hierarchy
	named WEB-INF. This directory contains all things related to
	the application that aren't in the document root of the
	application. The WEB-INF node is not part of the public
	document tree of the application. No file contained in the
	WEB-INF directory may be served directly to a client by the
	container.

I don't know how much more "portable" you want it to be :-)

HTH!
-- 
Hassan Schroeder ----------------------------- hassan@webtuitive.com 
Webtuitive Design ===  (+1) 408-938-0567   === http://webtuitive.com 

                           dream.  code.



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org 
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message