Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 70D26DD3F for ; Tue, 19 Jun 2012 05:42:34 +0000 (UTC) Received: (qmail 98187 invoked by uid 500); 19 Jun 2012 05:42:31 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 98054 invoked by uid 500); 19 Jun 2012 05:42:31 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 98028 invoked by uid 99); 19 Jun 2012 05:42:30 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 19 Jun 2012 05:42:30 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [209.85.216.173] (HELO mail-qc0-f173.google.com) (209.85.216.173) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 19 Jun 2012 05:42:21 +0000 Received: by qcsc20 with SMTP id c20so4450241qcs.18 for ; Mon, 18 Jun 2012 22:41:59 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding:x-gm-message-state; bh=xm+rkbdYcGhOQ0VsgHwtF/4kCSYZoxiZlZDT0qffROs=; b=Ju2oU2maxdoQ70+KetrDTin8defWBqqLLZP4y7U+Tt1RMztkBWC1NENvvaFAkz+Rpd eCuvJ5zzqDnEn4NSn2hqXAUVvM+F/H//gkgb3Q4hqabaTiCBy9juHLNbyt/dctvBWD7U G/gYHfm+ZMZNn519GXdFsKBgJijGkYyY3JOv51Dem/oFHilMaZ86eMNjIkAkmWPT/+cb n4BOzeG9DsKLBcfwF2bxzl9fmACHAQXpOIpGdCnnwuD/O0YM5/HgONhVm8QclkxShv4R 3KnlFI3zLvYd+CqeYgkxeB+TOGOWEHh13kqbSdm5IUMVmUMxVBlXzBAaAeVgrjRD/t0u 7jQQ== Received: by 10.224.207.138 with SMTP id fy10mr31557956qab.85.1340084519840; Mon, 18 Jun 2012 22:41:59 -0700 (PDT) Received: from [192.168.1.6] (c-68-45-12-151.hsd1.nj.comcast.net. [68.45.12.151]) by mx.google.com with ESMTPS id gy9sm46372243qab.22.2012.06.18.22.41.57 (version=SSLv3 cipher=OTHER); Mon, 18 Jun 2012 22:41:58 -0700 (PDT) Message-ID: <4FE01124.9030803@poonam.org> Date: Tue, 19 Jun 2012 11:11:56 +0530 From: Kiran Badi Organization: www.poonam.org User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Protect JSP from Direct Access in Tomcat 7.0.xx References: <4FDFC367.2010509@poonam.org> <1340073195.30268.833.camel@dellberry> <4FDFEF97.7030804@poonam.org> <1340081562.30268.916.camel@dellberry> In-Reply-To: <1340081562.30268.916.camel@dellberry> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Gm-Message-State: ALoCoQkjd3sCY44lexOACCJyjs4TWuGfSQKH7EkI4mCXllosAwmdzEvN2jnu9ZTcDYVwh8NMiIAb On 6/19/2012 10:22 AM, Tim Watts wrote: >>> Hopefully, you're trying to use or move toward the MVC (Model, View, >>> Controller) pattern. If not, you should. Google "MVC design pattern". >>> There are many, many frameworks that will make this easier for you (once >>> you learn them): Struts, Spring MVC... >>> >>> If you're well into your project and don't want to add a framework to it >>> you could write a simple servlet that uses an algorithm to map URI paths >>> to JSPs then forwards to the JSP using a dispatcher. For instance, you >>> could put your JSPs in myapp/WEB-INF/jsps. Then have the servlet map a >>> URI such as /sample to /WEB-INF/jsps/sample.jsp (all relative >>> to /myapp). >> http://localhost:8080/mysite/WEB-INF/jsp/newjsp.jsp >> >> I just created folder jsp under WEB-INF and then added newjsp.jsp(this >> is hello world jsp) and then ran the file.I get 404 error. I am trying >> all this with netbeans. > Well I hope by now you understand why or we're just going in circles. > Of course, that URL gives a 404: it's trying to access WEB-INF which is > never accessible via HTTP. But it is accessible via > RequestDispatcher.forward() -- e.g.: > > servletCtx.getRequestDispatcher("/WEB-INF/jsp/newjsp.jsp").forward(request, response); > > This is kind of like what you said earlier that your servlets are > essentially doing, right? No I did not do the way you mentioned.I just created a jsp under WEB-INF and invoked it directly and got 404.I think I now see what you are mentioning. and its wonderful idea.Makes perfect sense now.Thanks Tim. > >>> This isn't a great approach because you really aren't separating the >>> model from the view (all the app logic and display logic are housed in >>> the JSP -- a maintenance nightmare). But if you don't have time to >>> re-architect the app now, it will hide the .jsp's from "direct access". >>> And it will put you in a slightly better position if/WHEN you do >>> re-architect it. >> I think I am using kind of MVC pattern of course the one used around 6 >> to 8 years back.I am using jsp as view, servlet as kind controller and >> then some beans/jstl and el to make my life easy somewhat. I would love >> to work with frameworks like spring or struts someday. >> > They're free you know. :-) But of course, free software doesn't add > hours to the day. You're basically rolling your own MVC and that will > probably help you understand better what these frameworks do. But move > away from this as soon as you can. They've solved a lot of problems you > probably haven't even considered and they can make your applications > much less brittle if you take the time to learn them well. Yup I have another project in mind which I plan to roll out soon probably either with spring or JSF.Maybe in a month or 2.I am fast learner and risk taker. > >> Ok let me explain as what I need again, >> >> I have form A with say about 10 fields, lets call this as jsp A. So in >> browser bar it looks like http://localhost:8080/mysite/A.jsp >> > Ah, so you do want SOME of your JSPs to be URL accessible! Well, if > A.jsp doesn't and never ever will have any dependencies on the > application's state then fine. Maybe it's true today but I doubt it > will stay that way. So it's probably better to be consistent and hide > this as well. > >> User fills this A.jsp and then clicks Submit button. It posts the form >> to Servlet B which does insert in the database and then forwards the >> request via request dispatcher to C.jsp which has some confirmation >> details in it.(Unique reference ids pulled out from DB). >> > So on submit, an HTTP POST is sent to http://localhost:8080/mysite/B. > Then servlet B does its work and essentially invokes: > > ctx.getRequestDispatcher("/C.jsp").forward(request, response); > > then C.jsp sends back the response using data from the session. > > Is this right? > > (btw, you know your app'ss requirements better than I, but storing all > data in the session isn't the only scope available. It's likely that a > lot of response data needn't survive past the current request. In that > case, setting request attributes would be better -- less memory needed, > less likely to pick up data that's inappropriate for the current > request). Yup thats correct.I will explore this option of moving attributes to request.Thanks. >> Now with my existing setup if I directly give url like >> >> http://localhost:8080/mysite/C.jsp I go directly to C Jsp which I >> should not because its not suppose to be accessed directly. >> > Right. Put C.jsp in WEB-INF, get a request dispatcher for > "/WEB-INF/C.jsp", forward to that and go home. Yup got it.I think this should resolve my issue. > > - > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org