tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Badi <>
Subject Re: Protect JSP from Direct Access in Tomcat 7.0.xx
Date Tue, 19 Jun 2012 05:41:56 GMT
On 6/19/2012 10:22 AM, Tim Watts wrote:
>>> Hopefully, you're trying to use or move toward the MVC (Model, View,
>>> Controller) pattern.  If not, you should.  Google "MVC design pattern".
>>> There are many, many frameworks that will make this easier for you (once
>>> you learn them): Struts, Spring MVC...
>>> If you're well into your project and don't want to add a framework to it
>>> you could write a simple servlet that uses an algorithm to map URI paths
>>> to JSPs then forwards to the JSP using a dispatcher.  For instance, you
>>> could put your JSPs in myapp/WEB-INF/jsps.  Then have the servlet map a
>>> URI such as /sample to /WEB-INF/jsps/sample.jsp (all relative
>>> to /myapp).
>> http://localhost:8080/mysite/WEB-INF/jsp/newjsp.jsp
>> I just created folder jsp under WEB-INF and then added newjsp.jsp(this
>> is hello world jsp) and then ran the file.I get 404 error. I am trying
>> all this with netbeans.
> Well I hope by now you understand why or we're just going in circles.
> Of course, that URL gives a 404: it's trying to access WEB-INF which is
> never accessible via HTTP.  But it is accessible via
> RequestDispatcher.forward() -- e.g.:
> 	servletCtx.getRequestDispatcher("/WEB-INF/jsp/newjsp.jsp").forward(request, response);
> This is kind of like what you said earlier that your servlets are
> essentially doing, right?
No I did not do the way you mentioned.I just created a jsp under WEB-INF 
and invoked it directly and got 404.I think I now see what you are 
and its wonderful idea.Makes perfect sense now.Thanks Tim.
>>> This isn't a great approach because you really aren't separating the
>>> model from the view (all the app logic and display logic are housed in
>>> the JSP -- a maintenance nightmare).  But if you don't have time to
>>> re-architect the app now, it will hide the .jsp's from "direct access".
>>> And it will put you in a slightly better position if/WHEN you do
>>> re-architect it.
>> I think I am using kind of MVC pattern of course the one used around 6
>> to 8 years back.I am using jsp as view, servlet as kind controller and
>> then some beans/jstl and el to make my life easy somewhat. I would love
>> to work with frameworks like spring or struts someday.
> They're free you know. :-)  But of course, free software doesn't add
> hours to the day.  You're basically rolling your own MVC and that will
> probably help you understand better what these frameworks do.  But move
> away from this as soon as you can.  They've solved a lot of problems you
> probably haven't even considered and they can make your applications
> much less brittle if you take the time to learn them well.
Yup I have another project in mind which I plan to roll out soon 
probably either with spring or JSF.Maybe in a month or 2.I am fast 
learner and risk taker.

>> Ok  let me explain as what I need again,
>> I have form A with say about 10 fields, lets call this as jsp A. So in
>> browser bar it looks like http://localhost:8080/mysite/A.jsp
> Ah, so you do want SOME of your JSPs to be URL accessible!  Well, if
> A.jsp doesn't and never ever will have any dependencies on the
> application's state then fine.  Maybe it's true today but I doubt it
> will stay that way.  So it's probably better to be consistent and hide
> this as well.
>> User fills this A.jsp and then clicks Submit button. It posts the form
>> to Servlet B which does insert in the database and then forwards the
>> request via request dispatcher to  C.jsp which has some confirmation
>> details in it.(Unique reference ids pulled out from DB).
> So on submit, an HTTP POST is sent to http://localhost:8080/mysite/B.
> Then servlet B does its work and essentially invokes:
> 	ctx.getRequestDispatcher("/C.jsp").forward(request, response);
> then C.jsp sends back the response using data from the session.
> Is this right?
> (btw, you know your app'ss requirements better than I, but storing all
> data in the session isn't the only scope available.  It's likely that a
> lot of response data needn't survive past the current request.  In that
> case, setting request attributes would be better -- less memory needed,
> less likely to pick up data that's inappropriate for the current
> request).
Yup thats correct.I will explore this option of moving attributes to 
>> Now with my existing setup if I directly give url like
>> http://localhost:8080/mysite/C.jsp   I go directly to C Jsp which I
>> should not because its not suppose to be accessed directly.
> Right.  Put C.jsp in WEB-INF, get a request dispatcher for
> "/WEB-INF/C.jsp", forward to that and go home.
Yup got it.I think this should resolve my issue.
> -
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message