tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis Payne" <>
Subject Re: [newbie] Container Managed Security - preventing direct access to .jsp
Date Tue, 14 Dec 2004 21:03:16 GMT
I have not run into that kind of problem before... typically if you hit
a JSP without hitting its controller first you will just get nothing (an
HTML screen with no data).  when it gets routed back to the controller,
it will then register a failure due to lack of data.  Problem solved.

>>> 12-14-2004 12:20 >>>
Robert Taylor wrote:

> Please let me know if this questions is just too obvious
> and I'll gladly RTFM...

See below :-)

> It just seems like a common idiom to provide a portable mechanism
> for protecting direct access to .jsp so as to enforce access through
> some controller. I have in the past placed .jsp files "behind"
> but I don't believe that is portable and would like to use CMS to
> this.

Given that the Java" Servlet Specification Version 2.4, page 70 sez:

	A special directory exists within the application hierarchy
	named WEB-INF. This directory contains all things related to
	the application that aren't in the document root of the
	application. The WEB-INF node is not part of the public
	document tree of the application. No file contained in the
	WEB-INF directory may be served directly to a client by the

I don't know how much more "portable" you want it to be :-)

Hassan Schroeder ----------------------------- 
Webtuitive Design ===  (+1) 408-938-0567   === 

                           dream.  code.

To unsubscribe, e-mail: 
For additional commands, e-mail: 

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message