Yes. That would be an alternative approach. However, I want to use CMS (Container Managed Security) to protect direct access to .jsp pages. This should be possible as per the Servlet specification.
/robert > -----Original Message----- > From: Ben Souther [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 14, 2004 1:16 PM > To: Tomcat Users List > Subject: RE: [newbie] Container Managed Security - preventing direct > accessto .jsp > > > Filters are portable. > > > > On Tue, 2004-12-14 at 12:32, Robert Taylor wrote: > > Ping... > > > > Please let me know if this questions is just too obvious > > and I'll gladly RTFM...even more. And yes, I know this list > > is not here just to serve _my_ interests. > > > > It just seems like a common idiom to provide a portable mechanism > > for protecting direct access to .jsp so as to enforce access through > > some controller. I have in the past placed .jsp files "behind" WEB-INF, > > but I don't believe that is portable and would like to use CMS to achieve > > this. > > > > Thanks again. > > > > /robert > > > > > > > -----Original Message----- > > > From: Robert Taylor [mailto:[EMAIL PROTECTED] > > > Sent: Monday, December 13, 2004 8:59 PM > > > To: [EMAIL PROTECTED] > > > Subject: [newbie] Container Managed Security - preventing direct access > > > to .jsp > > > > > > > > > Greetings, > > > > > > I'm new to Tomcat and this mailing list, and have a question > > > regarding configuring Tomcat to simply disallow access to .jsp pages > > > which I have been protected via the <security-constraint/> in my web app > > > web.xml file. > > > > > > >From what I understand, the following should do the trick and cause > > > a 403 error to be sent to the browser by the container. I would like > > > to trap that error code and display a user friendly page (I chose any page > > > so I would know it's working). > > > > > > I've simply modified the Tomcat jsp-examples web app. Here's a snippet > > > of the necessary artifacts in the web.xml file. > > > > > > > > > > > > <error-page> > > > <error-code>403</error-code> > > > <location>/dates/date.jsp</location> > > > </error-page> > > > > > > <security-constraint> > > > <display-name>Example Security Constraint</display-name> > > > <web-resource-collection> > > > <web-resource-name>Protected Area</web-resource-name> > > > <url-pattern>/security/protected/*</url-pattern> > > > </web-resource-collection> > > > </security-constraint> > > > > > > > > > I believe the constraint is working, but I don't think the > > > <error-page/> is "catching" the 403 status code. This is probably > > > because a 403 status code is not returned, but rather a 200 (I verified > > > this by looking at the response headers). > > > > > > Anyhow, the content of the returned page is below within the <content/>: > > > > > > > > > <content> > > > You are logged in as remote user null in session > > > D97EE937BEC953A7E82E42B3956AED86 > > > > > > No user principal could be identified. > > > > > > To check whether your username has been granted a particular role, enter > > > it here: > > > > > > > > > If you have configured this app for form-based authentication, you can > > > log off by > > > clicking here. This should cause you to be returned to the logon page > > > after the > > > redirect that is performed. > > > </content> > > > > > > I'm sure this has happened to someone else, I just cannot find where. > > > I googled and didn't come up with much. I searched the archives using > > > "You are logged in as remote user null in session" and no matches were > > > found. > > > > > > Any help would be greatly appreciated. > > > > > > /robert > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
