Point taken regarding images.
But is this the only way to protect jsp ? I have a directory structure as follows /jsp/feedback/start.jsp /jsp/feedback/finish.jsp
I want them to be able to bookmark start.jsp and access it either through the interface or directly from the url. but I dont want them to access
finish.jsp directly because it doesnt make any sense as it is is only shown after processing start.jsp.
From what your saying I would have to either do /WEB-INF/feedback/start.jsp /WEB-INF/feedback/finish.jsp which would mean they couldnt bookmark anything
or do /jsp/feedback/start.jsp /WEB-INF/feedback/finish.jsp
which screws up my links and stuff, meaning quite alot of rework and stuff over the whole site.
On a similar note, some of my jsps calls a servlet. In my web.xml it is defined and url mapped as follows
<servlet>
<servlet-name>Controller</servlet-name>
<servlet-class>com.myapp.Controller</servlet-class>
<load-on-startup>0</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Controller</servlet-name>
<url-pattern>/controller</url-pattern>
</servlet-mapping>
My jsp would then call
<form name="feedbackform2" method="post" action="<%=request.getContextPath()%>/controller">
to call the servlet
the trouble is the user can type directly into the url localhost:8080/myapp/controller
and call the servlet ot of context how do I stop that ?
Tim Funk wrote:
You can't prevent images from being taken.
As for JSP's. Move them to your WEB-INF directory. Then use a servlet to validate the incoming parameters and then forward to the JSP.
-Tim
Paul Taylor wrote:
Thanks works a treat
Is there a similar way to prevent the user typing in the url of a partciuar jsp or image and stop them being taken it. Ive looked at security-constraints but this seems to be based on only certain/logged in users gaining access. I have no concept of logged users in my application but I only want them to access pages via the interface rather than the url except for a few pages which they can access via url to allow them to bookmark them.
Shapira, Yoav wrote:
Hi, Add a listings parameter to the DefaultServlet in conf/web.xml with a param-value of false. IIRC.
Yoav Shapira http://www.yoavshapira.com
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
