tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: WEB-INF
Date Fri, 10 Sep 2010 15:19:09 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Leo,

I'll chime in. :)

On 9/10/2010 10:13 AM, Leo Donahue - PLANDEVX wrote:
> I've read that you can secure direct access to a JSP by placing it in
> the WEB-INF directory.  I know you can also secure direct access to a
> JSP by creating a security constraint using URL patterns and
> assigning role names that do not exist.
> 
> I've also "heard" that when you secure a URL using a security
> constraint, that you are not securing the "resource".

That depends on what you think the "resource" is. If it's a file on a
disk, than it is only "secure" if you secure all ways to retrieve it. If
you have multiple URLs that reference the same file on a disk, then yes,
you can "secure" one URL and not another and therefore your file is not
entirely "secure".

Chuck doesn't come right out and say this, but I believe he's hinting at
the fact that files on a disk are largely irrelevant: they are an
implementation detail where HTTP is concerned: the URL is a request for
a resource. Securing that URL is securing the resource. The fact that
multiple resources might result in the same response (from the same file
on the disk) is just a coincidence.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkyKTG0ACgkQ9CaO5/Lv0PAPQACfdGFGWHdF6gKShPz1xKvn+rEy
lf8An1GTe7GD68TwDNtKDjbXl7C05I01
=6j0Z
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message