tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Badi <>
Subject Re: Protect JSP from Direct Access in Tomcat 7.0.xx
Date Tue, 19 Jun 2012 03:18:47 GMT
On 6/19/2012 8:03 AM, Tim Watts wrote:
> Hi Kiran,
> On Tue, 2012-06-19 at 05:40 +0530, Kiran Badi wrote:
>> Hi All,
>> I need your guidance again.I have bunch of JSP's close to 100+ which I
>> need to protect it from direct access.
> By "direct access" do you mean that http://host/myapp/sample.jsp is
> returning the JSP source code rather than executing it?  Or do you mean
> that you don't want any .jsp URLs to be accessible to users?
No its not returning source code.I have couple of jsps where in I use EL 
in those to access session objects and directly accessing those jsps is 
not something I want.
>> I have this mapping in web xml and this is not working,It seems that
>> probably i need to define a role first and then use below settings.But
>> unfortunately my app is open internet application which does not use
>> realm at all.
>> <security-constraint>
>> <display-name>DenyAccesstoDirectJSP</display-name>
>> <web-resource-collection>
>> <web-resource-name>sample.jsp</web-resource-name>
>> <description>Sample confirmation JSP</description>
>> <url-pattern>*.jsp</url-pattern>
>> <http-method>GET</http-method>
>> <http-method>POST</http-method>
>> </web-resource-collection>
>> </security-constraint>
> This isn't going to help you. Dump it.
Yup its not helping.
>> All my jsp's are residing in the webpages folder of project directory.I
>> know this is incorrect and probably gives direct access to jsp's.
>> So I have some clarification to ask,
>> 1. is their a way to tell tomcat to not to serve direct jsp's probably
>> via web xml
> If by "serve direct jsp's" you mean "don't return source code" then,
> yes.  Put them under your web app's directory.  For example, if your web
> app's context is 'myapp' then in tomcat it will be deployed under
> <TC_BASE>/webapps/myapp.  You could put them directly in this directory
> or group them under a separate directory; 'jsps' for instance.  Then
> sample.jsp would be addressed as http://host/myapp/sample.jsp (or
> http://host/myapp/jsps/sample.jsp )
Yup I have same setup.Still its not bad.
>> 2. Is their any extra setting that is required if I move my JSP's inside
>> web-inf.I created a folder under web-inf and create sample hello
>> world.jsp and then tried to invoke that jsp but got 404 message.
> First of all, it's WEB-INF. Case matters.
Ok got it.
> No, there's no special "setting" that will directly expose anything
> under WEB-INF via a URL.  That's the part of the Servlet Spec.  It's a
> Good ThingĀ®.  However, if you're trying to make your JSPs inaccessible
> via URLs, then you can move them there and have them indirectly accessed
> using a servlet which forwards the request to them.  See
> ServletContext.getRequestDispatcher() and RequestDispatcher.forward().
Yup I have lot many of request dispatchers in servlets.Almost all my 
JSP's are using data which is forwarded by servlets.I pull data from db 
via servlet, store it in session scope,forward it to jsp and in jsp 
access it via el.On logoff I remove attributes from the session.
> Hopefully, you're trying to use or move toward the MVC (Model, View,
> Controller) pattern.  If not, you should.  Google "MVC design pattern".
> There are many, many frameworks that will make this easier for you (once
> you learn them): Struts, Spring MVC...
> If you're well into your project and don't want to add a framework to it
> you could write a simple servlet that uses an algorithm to map URI paths
> to JSPs then forwards to the JSP using a dispatcher.  For instance, you
> could put your JSPs in myapp/WEB-INF/jsps.  Then have the servlet map a
> URI such as /sample to /WEB-INF/jsps/sample.jsp (all relative
> to /myapp).

I just created folder jsp under WEB-INF and then added newjsp.jsp(this 
is hello world jsp) and then ran the file.I get 404 error. I am trying 
all this with netbeans.
> This isn't a great approach because you really aren't separating the
> model from the view (all the app logic and display logic are housed in
> the JSP -- a maintenance nightmare).  But if you don't have time to
> re-architect the app now, it will hide the .jsp's from "direct access".
> And it will put you in a slightly better position if/WHEN you do
> re-architect it.
I think I am using kind of MVC pattern of course the one used around 6 
to 8 years back.I am using jsp as view, servlet as kind controller and 
then some beans/jstl and el to make my life easy somewhat. I would love 
to work with frameworks like spring or struts someday.

Ok  let me explain as what I need again,

I have form A with say about 10 fields, lets call this as jsp A. So in 
browser bar it looks like http://localhost:8080/mysite/A.jsp

User fills this A.jsp and then clicks Submit button. It posts the form 
to Servlet B which does insert in the database and then forwards the 
request via request dispatcher to  C.jsp which has some confirmation 
details in it.(Unique reference ids pulled out from DB).

Now with my existing setup if I directly give url like

http://localhost:8080/mysite/C.jsp   I go directly to C Jsp which I 
should not because its not suppose to be accessed directly.

I want to block this behaviour and its this behaviour I call direct 
access to JSP.

I dont get source code of any of my JSP' setup is pretty simple with 
just j2ee stuff and tomcat.
>> - Kiran
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message