Date: 2005-01-01T10:05:31 Editor: DavidKarr Wiki: Apache Struts Wiki Page: StrutsCatalogHidingPagesUnderWEBINF URL: http://wiki.apache.org/struts/StrutsCatalogHidingPagesUnderWEBINF
no comment Change Log: ------------------------------------------------------------------------------ @@ -19,3 +19,11 @@ I personally prefer to use filter for hiding pages. I set filter to return 404 on every request for *.jsp page. I can also change filter to allow for example only index.jsp to pass, but all other pages to be unavailable. This is IMHO better than relying on container implementation. -- IvanRekovic + +---- + +Another option for disallowing access to JSPs is simply to add a security-constraint for the role "nobody" for "*.jsp". Unfortunately, it appears you have to add one "url-pattern" element for every subdirectory. I don't believe there's any way to specify something like "**/*.jsp", as in Ant. + +You can even disallow access to JSPs in the root of the app, like "index.jsp". You might think this makes it impossible to have a welcome page. However, one "trick" that I believe should work in all containers is to set your welcome file to "index.do", create a file called "index.do" in the root (contents are irrelevant), and create an action-mapping for "/index.do". This works because the servlet specification states that the named welcome file needs to exist, but then it hands the URL to the container to serve, which handles it just like any other URL. + +-- DavidKarr --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
