Quoting Koon Yue Lam <[EMAIL PROTECTED]>: > Hi Hassan , > yes, the .js and .css are externally-accessible, but the .jsp aren't .... > so my jsp can't refer to those .js and .css >
Huh? Why would you say that? Let's say I have the following structure... myapp /assets /style/my.css /script/my.js /WEB-INF web.xml /jsp/my.jsp And my.jsp looks like... <html> <head> <link rel="Stylesheet" href="assets/style/my.css" type="text/css"> <script src="assets/script/my.js" type="text/javascript"></script> <title>mock jsp</title> </head> <body> <h1>Hello World</h1> <body> </html> So, what's the problem? The <link> and <script> locations are loaded by the browser and have no relation whatsoever to the actual location of your JSP. Keep in mind that the only way you can provide this JSP for viewing is to do a server-side forward to it. Web page resources and links will be resolved relative to the path of the URL in your browser location bar. Note that this wouldn't be strictly true if you redirected to the JSP resource, but this is impossible in this case because you can't redirect to a resoruce existing within WEB-INF because the browser client has no access to it, only the server does. In any case, you can always make the resource URL's relative to the root of the application by doing "/myapp/assets/script/my.js". > and after viewing this thread, I think I would take QM approche but u > mentioned I can put all jsp into one folder and protect it. How? Is it > a web container level or OS level protection ? > The *only* valid reason I can see for not putting JSPs (not meant for direct viewing) under WEB-INF is lack of server support for it. However, any modern server worth its salt now supports this. If yours doesn't, you might want to think about changing vendors or, at least, upgrading your version to one that supports this feature. My rule of thumb is to put JSP that are not meant for direct viewing (only forwarding to from a controller servlet) under WEB-INF and jsp's that are meant for direct viewing outside of WEB-INF. You get the security for free! Why one would bother with needless extra security configuration is beyond me. And what if you forget or configure it wrong? Jake > Regards > > > On Sun, 26 Dec 2004 08:45:00 -0800, Hassan Schroeder > <[EMAIL PROTECTED]> wrote: > > Koon Yue Lam wrote: > > > Hi, I want to protect my JSP from direct access, so they can only > > > access by Struts action. > > > but.... > > > > > > If I want to include some Javascript or CSS to a JSP, I can't ! > > > Because .js and .css needed to place directly under WebRoot > > > > I'm afraid I don't understand the issue. > > > > If you're putting your JS and CSS in an externally-accessible place > > (maybe /scripts and /styles) then the standard HTML references for > > "external" resources: > > > > <link rel="stylesheet" type="text/css" href="/styles/example.css"/> > > <style type="text/css">@import "/styles/example.css";</style> > > <script type="text/javascript" src="/scripts/example.js"></script> > > > > :: will work fine. > > > > The client UA can access them directly (and cache them, which is > > usually a desirable behavior). > > > > HTH, > > -- > > Hassan Schroeder ----------------------------- [EMAIL PROTECTED] > > Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com > > > > dream. code. > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]