tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Woonsan Ko <>
Subject Re: how to prevent user access to JSP pages?
Date Mon, 20 Aug 2018 17:42:02 GMT
On Mon, Aug 20, 2018 at 1:19 PM, Berneburg, Cris J. - US
<> wrote:
> Hi Woonsan
> Thanks for providing an "option C".  :-)  There is still much for me to learn.
You're welcome. :-)

> cjb> Due to security concerns and general fussiness on my part, I'd like
> cjb> to prevent users from requesting JSP pages directly [...].  That
> cjb> way I can legitimately claim that all requests are being validated,
> cjb> input scrubbed, JSP's cannot be taken advantage of w/o their
> cjb> servlet chaperones being present, etc.
> cjb> a. [...] adding a <security-constraint> for each folder.
> cjb> b. [...] JSP files under the WEB-INF folder.
> wk> c. Implement a servlet filter which is mapped to /* with dispatcher
> wk> options: REQUEST, INCLUDE, FORWARD. The filter may check the request
> wk> URI or include/forward URI (through request attributes).
> While I have a general idea of what you mean, I don't know how to implement that.  Is
that a standard practice?
I think the option uses standards and doesn't depart from standard practices.
The chapter 6 of the servlet spec [1] describes what Filter is,
when/how it can be used, its lifecycle, etc. Dispatcher options are
explained in 6.2.5.
Your servlet filter implementation may be invoked as pre-processing
component before other resources or servlets.
When .jsp is accessed directly, your filter may be invoked as REQUEST
dispatcher option (the default unless configured manually), you can
check the resource path info through
HttpRequestServlet#getRequestURI(). e.g, /examples/hello.jsp. If you
want to check the cases where the JSP is included or forwarded through
RequestDispatcher, you may check servlet request attributes described
in the section 9.3.1 (for inclusion) or 9.4.2 (for forwarding). So,
you might want to check include/forward path first and find requestURI
afterward to check everything and modify the response as a result. For
example, you can choose to send a 4xx response if the condition
doesn't meet your requirement.
All of those are based on servlet standards.




> --
> Cris Berneburg
> CACI Lead Software Engineer

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message