RE: Protect JSP from Direct Access in Tomcat 7.0.xx
You could always position your jsp's inside the WEB-INF dir This will enable you to access them only through server redirects rather than absolute url's Sharon -Original Message- From: Kiran Badi [mailto:ki...@poonam.org] Sent: Tuesday, June 19, 2012 3:10 AM To: Tomcat Users List Subject: Protect JSP from Direct Access in Tomcat 7.0.xx Hi All, I need your guidance again.I have bunch of JSP's close to 100+ which I need to protect it from direct access. I have this mapping in web xml and this is not working,It seems that probably i need to define a role first and then use below settings.But unfortunately my app is open internet application which does not use realm at all. security-constraint display-nameDenyAccesstoDirectJSP/display-name web-resource-collection web-resource-namesample.jsp/web-resource-name descriptionSample confirmation JSP/description url-pattern*.jsp/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection /security-constraint All my jsp's are residing in the webpages folder of project directory.I know this is incorrect and probably gives direct access to jsp's. So I have some clarification to ask, 1. is their a way to tell tomcat to not to serve direct jsp's probably via web xml 2. Is their any extra setting that is required if I move my JSP's inside web-inf.I created a folder under web-inf and create sample hello world.jsp and then tried to invoke that jsp but got 404 message. - Kiran - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Protect JSP from Direct Access in Tomcat 7.0.xx
Yup done this Sharon.Thanks On 6/19/2012 2:03 PM, Sharon Prober (sprober) wrote: You could always position your jsp's inside the WEB-INF dir This will enable you to access them only through server redirects rather than absolute url's Sharon -Original Message- From: Kiran Badi [mailto:ki...@poonam.org] Sent: Tuesday, June 19, 2012 3:10 AM To: Tomcat Users List Subject: Protect JSP from Direct Access in Tomcat 7.0.xx Hi All, I need your guidance again.I have bunch of JSP's close to 100+ which I need to protect it from direct access. I have this mapping in web xml and this is not working,It seems that probably i need to define a role first and then use below settings.But unfortunately my app is open internet application which does not use realm at all. security-constraint display-nameDenyAccesstoDirectJSP/display-name web-resource-collection web-resource-namesample.jsp/web-resource-name descriptionSample confirmation JSP/description url-pattern*.jsp/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection /security-constraint All my jsp's are residing in the webpages folder of project directory.I know this is incorrect and probably gives direct access to jsp's. So I have some clarification to ask, 1. is their a way to tell tomcat to not to serve direct jsp's probably via web xml 2. Is their any extra setting that is required if I move my JSP's inside web-inf.I created a folder under web-inf and create sample hello world.jsp and then tried to invoke that jsp but got 404 message. - Kiran - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Protect JSP from Direct Access in Tomcat 7.0.xx
Hi All, I need your guidance again.I have bunch of JSP's close to 100+ which I need to protect it from direct access. I have this mapping in web xml and this is not working,It seems that probably i need to define a role first and then use below settings.But unfortunately my app is open internet application which does not use realm at all. security-constraint display-nameDenyAccesstoDirectJSP/display-name web-resource-collection web-resource-namesample.jsp/web-resource-name descriptionSample confirmation JSP/description url-pattern*.jsp/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection /security-constraint All my jsp's are residing in the webpages folder of project directory.I know this is incorrect and probably gives direct access to jsp's. So I have some clarification to ask, 1. is their a way to tell tomcat to not to serve direct jsp's probably via web xml 2. Is their any extra setting that is required if I move my JSP's inside web-inf.I created a folder under web-inf and create sample hello world.jsp and then tried to invoke that jsp but got 404 message. - Kiran - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Protect JSP from Direct Access in Tomcat 7.0.xx
Hi Kiran, On Tue, 2012-06-19 at 05:40 +0530, Kiran Badi wrote: Hi All, I need your guidance again.I have bunch of JSP's close to 100+ which I need to protect it from direct access. By direct access do you mean that http://host/myapp/sample.jsp is returning the JSP source code rather than executing it? Or do you mean that you don't want any .jsp URLs to be accessible to users? I have this mapping in web xml and this is not working,It seems that probably i need to define a role first and then use below settings.But unfortunately my app is open internet application which does not use realm at all. security-constraint display-nameDenyAccesstoDirectJSP/display-name web-resource-collection web-resource-namesample.jsp/web-resource-name descriptionSample confirmation JSP/description url-pattern*.jsp/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection /security-constraint This isn't going to help you. Dump it. All my jsp's are residing in the webpages folder of project directory.I know this is incorrect and probably gives direct access to jsp's. So I have some clarification to ask, 1. is their a way to tell tomcat to not to serve direct jsp's probably via web xml If by serve direct jsp's you mean don't return source code then, yes. Put them under your web app's directory. For example, if your web app's context is 'myapp' then in tomcat it will be deployed under TC_BASE/webapps/myapp. You could put them directly in this directory or group them under a separate directory; 'jsps' for instance. Then sample.jsp would be addressed as http://host/myapp/sample.jsp (or http://host/myapp/jsps/sample.jsp ) 2. Is their any extra setting that is required if I move my JSP's inside web-inf.I created a folder under web-inf and create sample hello world.jsp and then tried to invoke that jsp but got 404 message. First of all, it's WEB-INF. Case matters. No, there's no special setting that will directly expose anything under WEB-INF via a URL. That's the part of the Servlet Spec. It's a Good Thing®. However, if you're trying to make your JSPs inaccessible via URLs, then you can move them there and have them indirectly accessed using a servlet which forwards the request to them. See ServletContext.getRequestDispatcher() and RequestDispatcher.forward(). Hopefully, you're trying to use or move toward the MVC (Model, View, Controller) pattern. If not, you should. Google MVC design pattern. There are many, many frameworks that will make this easier for you (once you learn them): Struts, Spring MVC... If you're well into your project and don't want to add a framework to it you could write a simple servlet that uses an algorithm to map URI paths to JSPs then forwards to the JSP using a dispatcher. For instance, you could put your JSPs in myapp/WEB-INF/jsps. Then have the servlet map a URI such as /sample to /WEB-INF/jsps/sample.jsp (all relative to /myapp). This isn't a great approach because you really aren't separating the model from the view (all the app logic and display logic are housed in the JSP -- a maintenance nightmare). But if you don't have time to re-architect the app now, it will hide the .jsp's from direct access. And it will put you in a slightly better position if/WHEN you do re-architect it. - Kiran - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org signature.asc Description: This is a digitally signed message part
Re: Protect JSP from Direct Access in Tomcat 7.0.xx
On 6/19/2012 8:03 AM, Tim Watts wrote: Hi Kiran, On Tue, 2012-06-19 at 05:40 +0530, Kiran Badi wrote: Hi All, I need your guidance again.I have bunch of JSP's close to 100+ which I need to protect it from direct access. By direct access do you mean that http://host/myapp/sample.jsp is returning the JSP source code rather than executing it? Or do you mean that you don't want any .jsp URLs to be accessible to users? No its not returning source code.I have couple of jsps where in I use EL in those to access session objects and directly accessing those jsps is not something I want. I have this mapping in web xml and this is not working,It seems that probably i need to define a role first and then use below settings.But unfortunately my app is open internet application which does not use realm at all. security-constraint display-nameDenyAccesstoDirectJSP/display-name web-resource-collection web-resource-namesample.jsp/web-resource-name descriptionSample confirmation JSP/description url-pattern*.jsp/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection /security-constraint This isn't going to help you. Dump it. Yup its not helping. All my jsp's are residing in the webpages folder of project directory.I know this is incorrect and probably gives direct access to jsp's. So I have some clarification to ask, 1. is their a way to tell tomcat to not to serve direct jsp's probably via web xml If by serve direct jsp's you mean don't return source code then, yes. Put them under your web app's directory. For example, if your web app's context is 'myapp' then in tomcat it will be deployed under TC_BASE/webapps/myapp. You could put them directly in this directory or group them under a separate directory; 'jsps' for instance. Then sample.jsp would be addressed as http://host/myapp/sample.jsp (or http://host/myapp/jsps/sample.jsp ) Yup I have same setup.Still its not working.my bad. 2. Is their any extra setting that is required if I move my JSP's inside web-inf.I created a folder under web-inf and create sample hello world.jsp and then tried to invoke that jsp but got 404 message. First of all, it's WEB-INF. Case matters. Ok got it. No, there's no special setting that will directly expose anything under WEB-INF via a URL. That's the part of the Servlet Spec. It's a Good Thing®. However, if you're trying to make your JSPs inaccessible via URLs, then you can move them there and have them indirectly accessed using a servlet which forwards the request to them. See ServletContext.getRequestDispatcher() and RequestDispatcher.forward(). Yup I have lot many of request dispatchers in servlets.Almost all my JSP's are using data which is forwarded by servlets.I pull data from db via servlet, store it in session scope,forward it to jsp and in jsp access it via el.On logoff I remove attributes from the session. Hopefully, you're trying to use or move toward the MVC (Model, View, Controller) pattern. If not, you should. Google MVC design pattern. There are many, many frameworks that will make this easier for you (once you learn them): Struts, Spring MVC... If you're well into your project and don't want to add a framework to it you could write a simple servlet that uses an algorithm to map URI paths to JSPs then forwards to the JSP using a dispatcher. For instance, you could put your JSPs in myapp/WEB-INF/jsps. Then have the servlet map a URI such as /sample to /WEB-INF/jsps/sample.jsp (all relative to /myapp). http://localhost:8080/mysite/WEB-INF/jsp/newjsp.jsp I just created folder jsp under WEB-INF and then added newjsp.jsp(this is hello world jsp) and then ran the file.I get 404 error. I am trying all this with netbeans. This isn't a great approach because you really aren't separating the model from the view (all the app logic and display logic are housed in the JSP -- a maintenance nightmare). But if you don't have time to re-architect the app now, it will hide the .jsp's from direct access. And it will put you in a slightly better position if/WHEN you do re-architect it. I think I am using kind of MVC pattern of course the one used around 6 to 8 years back.I am using jsp as view, servlet as kind controller and then some beans/jstl and el to make my life easy somewhat. I would love to work with frameworks like spring or struts someday. Ok let me explain as what I need again, I have form A with say about 10 fields, lets call this as jsp A. So in browser bar it looks like http://localhost:8080/mysite/A.jsp User fills this A.jsp and then clicks Submit button. It posts the form to Servlet B which does insert in the database and then forwards the request via request dispatcher to C.jsp which has some confirmation details in it.(Unique reference ids pulled out from DB). Now with my existing setup if I directly give url like http://localhost:8080/mysite/C.jsp I go directly to C Jsp which I should not because its not suppose
Re: Protect JSP from Direct Access in Tomcat 7.0.xx
On Tue, 2012-06-19 at 08:48 +0530, Kiran Badi wrote: No its not returning source code.I have couple of jsps where in I use EL in those to access session objects and directly accessing those jsps is not something I want. Good move. SNIP 2. Is their any extra setting that is required if I move my JSP's inside web-inf.I created a folder under web-inf and create sample hello world.jsp and then tried to invoke that jsp but got 404 message. First of all, it's WEB-INF. Case matters. Ok got it. No, there's no special setting that will directly expose anything under WEB-INF via a URL. That's the part of the Servlet Spec. It's a Good Thing®. However, if you're trying to make your JSPs inaccessible via URLs, then you can move them there and have them indirectly accessed using a servlet which forwards the request to them. See ServletContext.getRequestDispatcher() and RequestDispatcher.forward(). Yup I have lot many of request dispatchers in servlets.Almost all my JSP's are using data which is forwarded by servlets.I pull data from db via servlet, store it in session scope,forward it to jsp and in jsp access it via el.On logoff I remove attributes from the session. So then those JSPs which are forwarded to by servlets (typical controllers in MVC) could be moved to WEB-INF/whatever and then the servlets would use a dispatcher to forward to /WEB-INF/whatever/sample.jsp instead of /webpages/sample.jsp or whatever they're using now. You'd need to physically move those JSPs then update the servlets to use the JSPs' new location. Hopefully, you're trying to use or move toward the MVC (Model, View, Controller) pattern. If not, you should. Google MVC design pattern. There are many, many frameworks that will make this easier for you (once you learn them): Struts, Spring MVC... If you're well into your project and don't want to add a framework to it you could write a simple servlet that uses an algorithm to map URI paths to JSPs then forwards to the JSP using a dispatcher. For instance, you could put your JSPs in myapp/WEB-INF/jsps. Then have the servlet map a URI such as /sample to /WEB-INF/jsps/sample.jsp (all relative to /myapp). http://localhost:8080/mysite/WEB-INF/jsp/newjsp.jsp I just created folder jsp under WEB-INF and then added newjsp.jsp(this is hello world jsp) and then ran the file.I get 404 error. I am trying all this with netbeans. Well I hope by now you understand why or we're just going in circles. Of course, that URL gives a 404: it's trying to access WEB-INF which is never accessible via HTTP. But it is accessible via RequestDispatcher.forward() -- e.g.: servletCtx.getRequestDispatcher(/WEB-INF/jsp/newjsp.jsp).forward(request, response); This is kind of like what you said earlier that your servlets are essentially doing, right? This isn't a great approach because you really aren't separating the model from the view (all the app logic and display logic are housed in the JSP -- a maintenance nightmare). But if you don't have time to re-architect the app now, it will hide the .jsp's from direct access. And it will put you in a slightly better position if/WHEN you do re-architect it. I think I am using kind of MVC pattern of course the one used around 6 to 8 years back.I am using jsp as view, servlet as kind controller and then some beans/jstl and el to make my life easy somewhat. I would love to work with frameworks like spring or struts someday. They're free you know. :-) But of course, free software doesn't add hours to the day. You're basically rolling your own MVC and that will probably help you understand better what these frameworks do. But move away from this as soon as you can. They've solved a lot of problems you probably haven't even considered and they can make your applications much less brittle if you take the time to learn them well. Ok let me explain as what I need again, I have form A with say about 10 fields, lets call this as jsp A. So in browser bar it looks like http://localhost:8080/mysite/A.jsp Ah, so you do want SOME of your JSPs to be URL accessible! Well, if A.jsp doesn't and never ever will have any dependencies on the application's state then fine. Maybe it's true today but I doubt it will stay that way. So it's probably better to be consistent and hide this as well. User fills this A.jsp and then clicks Submit button. It posts the form to Servlet B which does insert in the database and then forwards the request via request dispatcher to C.jsp which has some confirmation details in it.(Unique reference ids pulled out from DB). So on submit, an HTTP POST is sent to http://localhost:8080/mysite/B. Then servlet B does its work and essentially invokes: ctx.getRequestDispatcher(/C.jsp).forward(request, response); then C.jsp sends back the response using data from the session. Is this right? (btw, you know your app'ss
Re: Protect JSP from Direct Access in Tomcat 7.0.xx
On 6/19/2012 10:22 AM, Tim Watts wrote: Hopefully, you're trying to use or move toward the MVC (Model, View, Controller) pattern. If not, you should. Google MVC design pattern. There are many, many frameworks that will make this easier for you (once you learn them): Struts, Spring MVC... If you're well into your project and don't want to add a framework to it you could write a simple servlet that uses an algorithm to map URI paths to JSPs then forwards to the JSP using a dispatcher. For instance, you could put your JSPs in myapp/WEB-INF/jsps. Then have the servlet map a URI such as /sample to /WEB-INF/jsps/sample.jsp (all relative to /myapp). http://localhost:8080/mysite/WEB-INF/jsp/newjsp.jsp I just created folder jsp under WEB-INF and then added newjsp.jsp(this is hello world jsp) and then ran the file.I get 404 error. I am trying all this with netbeans. Well I hope by now you understand why or we're just going in circles. Of course, that URL gives a 404: it's trying to access WEB-INF which is never accessible via HTTP. But it is accessible via RequestDispatcher.forward() -- e.g.: servletCtx.getRequestDispatcher(/WEB-INF/jsp/newjsp.jsp).forward(request, response); This is kind of like what you said earlier that your servlets are essentially doing, right? No I did not do the way you mentioned.I just created a jsp under WEB-INF and invoked it directly and got 404.I think I now see what you are mentioning. and its wonderful idea.Makes perfect sense now.Thanks Tim. This isn't a great approach because you really aren't separating the model from the view (all the app logic and display logic are housed in the JSP -- a maintenance nightmare). But if you don't have time to re-architect the app now, it will hide the .jsp's from direct access. And it will put you in a slightly better position if/WHEN you do re-architect it. I think I am using kind of MVC pattern of course the one used around 6 to 8 years back.I am using jsp as view, servlet as kind controller and then some beans/jstl and el to make my life easy somewhat. I would love to work with frameworks like spring or struts someday. They're free you know. :-) But of course, free software doesn't add hours to the day. You're basically rolling your own MVC and that will probably help you understand better what these frameworks do. But move away from this as soon as you can. They've solved a lot of problems you probably haven't even considered and they can make your applications much less brittle if you take the time to learn them well. Yup I have another project in mind which I plan to roll out soon probably either with spring or JSF.Maybe in a month or 2.I am fast learner and risk taker. Ok let me explain as what I need again, I have form A with say about 10 fields, lets call this as jsp A. So in browser bar it looks like http://localhost:8080/mysite/A.jsp Ah, so you do want SOME of your JSPs to be URL accessible! Well, if A.jsp doesn't and never ever will have any dependencies on the application's state then fine. Maybe it's true today but I doubt it will stay that way. So it's probably better to be consistent and hide this as well. User fills this A.jsp and then clicks Submit button. It posts the form to Servlet B which does insert in the database and then forwards the request via request dispatcher to C.jsp which has some confirmation details in it.(Unique reference ids pulled out from DB). So on submit, an HTTP POST is sent to http://localhost:8080/mysite/B. Then servlet B does its work and essentially invokes: ctx.getRequestDispatcher(/C.jsp).forward(request, response); then C.jsp sends back the response using data from the session. Is this right? (btw, you know your app'ss requirements better than I, but storing all data in the session isn't the only scope available. It's likely that a lot of response data needn't survive past the current request. In that case, setting request attributes would be better -- less memory needed, less likely to pick up data that's inappropriate for the current request). Yup thats correct.I will explore this option of moving attributes to request.Thanks. Now with my existing setup if I directly give url like http://localhost:8080/mysite/C.jsp I go directly to C Jsp which I should not because its not suppose to be accessed directly. Right. Put C.jsp in WEB-INF, get a request dispatcher for /WEB-INF/C.jsp, forward to that and go home. Yup got it.I think this should resolve my issue. - - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
