tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: how to prevent user access to JSP pages?
Date Thu, 23 Aug 2018 09:26:11 GMT
On 22/08/18 19:48, Terence M. Bandoian wrote:

<snip/>

> Back on topic, do JSPs have to be registered with the container using
> servlet mappings in web.xml or some other mechanism in order to serve as
> targets of forwards by servlets?  Further, does doing so make those JSPs
> accessible via external requests?  I suspect the answer to both
> questions is yes which means an additional mechanism will have to be
> introduced to block that access which I believe was the original
> question.  Servlet filter?

What makes JSPs accessible is the mapping of *.jsp to the JSP servlet.
Any file outside of WEB-INF with a .jsp extension will be passed to the
JSP servlet for processing:
- .jsp -> .java
- .java -> .class (servlet)
- send request to servlet from previous step

JSPs (or any other files) located under WEB-INF are never directly
accessible.

Forwards and includes can reference JSP files (actually any files)
located under WEB-INF and the file is processed the same way it would be
if it were located outside of WEB-INF. The idea of locating files under
WEB-INF is so you can use them in forwards and includes without them
being directly accessible.

Mark

P.S. It is actually WEB-INF or META_INF everywhere I write WEB-INF above
but I only used WEB-INF to try and keep it clearer.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message