tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Wall <>
Subject Re: how to prevent user access to JSP pages?
Date Thu, 16 Aug 2018 18:26:46 GMT
I'll be curious to see the answers.

JSPs are servlets.

For us, the common way would be for your non-JSP servlets to 
authenticate the request (and save the results in the request), and then 
your JSPs can check if the request has been authenticated before 
progressing further.  Of course, if it's just a login check, you can 
save the results of the authentication in the session, and when missing, 
redirect to your login.

On 8/16/18 10:19 AM, Berneburg, Cris J. - US wrote:
> Due to security concerns and general fussiness on my part, I'd like to prevent users
from requesting JSP pages directly, except for the login page.  I want all requests to be
handled by servlets.  That way I can legitimately claim that all requests are being validated,
input scrubbed, JSP's cannot be taken advantage of w/o their servlet chaperones being present,
> a. One way I read is by adding a <security-constraint> for each folder.  One use
case is for JSP include files.  That looks possible but makes it seem like these are exceptions
and not the rule.  I want "deny, deny, deny" to be the default and the one or 2 allowable
JSP pages to be the exception.
> b. Another way mentioned is by having most of the JSP files under the WEB-INF folder.
 That way the users don't have access to the JSP's but the servlets do.  My understanding
is a little wobbly here, because I can't conceptualize the virtual path for files under WEB-INF
when sending a response.  (See line of code below.)  Also, that would require moving most
of the JSP files.
>> request.getRequestDispatcher("folder/file.jsp"); // what about WEB-INF?
> Is there a "smart" way of doing this?  Perhaps it would have been prudent to organize
the JSP folders "properly" in the first place, but we're way beyond that now.
> Got any comments, suggestions, advice?
> Thanks.  :-)
> --
> Cris Berneburg
> CACI Lead Software Engineer

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message