Return-Path: Delivered-To: apmail-jakarta-tomcat-user-archive@www.apache.org Received: (qmail 84278 invoked from network); 14 Dec 2004 22:49:56 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 14 Dec 2004 22:49:56 -0000 Received: (qmail 36098 invoked by uid 500); 14 Dec 2004 22:49:44 -0000 Delivered-To: apmail-jakarta-tomcat-user-archive@jakarta.apache.org Received: (qmail 36000 invoked by uid 500); 14 Dec 2004 22:49:43 -0000 Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Users List" Reply-To: "Tomcat Users List" Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 35881 invoked by uid 99); 14 Dec 2004 22:49:42 -0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS X-Spam-Check-By: apache.org Received-SPF: neutral (hermes.apache.org: local policy) Received: from imf17aec.mail.bellsouth.net (HELO imf17aec.mail.bellsouth.net) (205.152.59.65) by apache.org (qpsmtpd/0.28) with ESMTP; Tue, 14 Dec 2004 14:49:37 -0800 Received: from muleworkrt ([68.215.208.75]) by imf17aec.mail.bellsouth.net (InterMail vM.5.01.06.11 201-253-122-130-111-20040605) with SMTP id <20041214224931.FBHV1994.imf17aec.mail.bellsouth.net@muleworkrt> for ; Tue, 14 Dec 2004 17:49:31 -0500 From: "Robert Taylor" To: "Tomcat Users List" Subject: RE: [newbie] Container Managed Security - preventing direct access to .jsp Date: Tue, 14 Dec 2004 17:49:08 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <41BF63F9.7050506@webtuitive.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Importance: Normal X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N Fair enough. When I mention Container Managed Security, I am refering to using security constraints defined in web.xml to prevent direct access to resources. More specifically in Section 12.8 of the 2.4 specification: Security constraints are a declarative way of defining the protection of web content. A security constraint associates authorization and or user data constraints with HTTP operations on web resources. A security constraint, which is represented by security-constraint in deployment descriptor, consists of the following elements: � web resource collection (web-resource-collection in deployment descriptor) � authorization constraint (auth-constraint in deployment descriptor) � user data constraint (user-data-constraint in deployment descriptor) The HTTP operations and web resources to which a security constraint applies (i.e. the constrained requests) are identified by one or more web resource collections. A web resource collection consists of the following elements: � URL patterns (url-pattern in deployment descriptor) � HTTP methods (http-method in deployment descriptor) An authorization constraint establishes a requirement for authentication and names the authorization roles permitted to perform the constrained requests. A user must be a member of at least one of the named roles to be permitted to perform the constrained requests. The special role name �*� is a shorthand for all role names defined in the deployment descriptor. An authorization constraint that names no roles indicates that access to the constrained requests must not be permitted under any circumstances. Does this not imply that I can do what I am trying to do? /robert > -----Original Message----- > From: Hassan Schroeder [mailto:hassan@webtuitive.com] > Sent: Tuesday, December 14, 2004 5:07 PM > To: Tomcat Users List > Subject: Re: [newbie] Container Managed Security - preventing direct > access to .jsp > > > Robert Taylor wrote: > > I didn't realize that was added to the 2.4 spec. > > It was in 2.3, too. I'd guess it was in the spec from the get-go, > but don't have an older copy to hand to confirm. > > > Even so, it would be nice to know how to use CMS to achieve this. > > What is your definition of "Container Managed Security", then, if > not this? The container prevents direct access to the resources > placed within WEB-INF, without you having to do anything else. > > > Maybe a better way to form the question would be how do I use > > CMS to protect .jsp pages from direct access > > as above. > > and return a user > > friendly page/message when a .jsp page is requested without going through > > the controller? > > A custom 404 page should take care of it. And you can get as fancy > with that as you like :-) > > FWIW! > -- > Hassan Schroeder ----------------------------- hassan@webtuitive.com > Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com > > dream. code. > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-user-help@jakarta.apache.org