Tested it again tomcat (8.5.15), definitely a 403.  Will see if I can find
some more info.

On 19 June 2017 at 08:04, Lukasz Lenart <lukaszlen...@apache.org> wrote:

> Did you test that? I think <welcome-list/> ignore security constraints
> ... or maybe it was just Jetty ;)
>
> 2017-06-16 10:50 GMT+02:00 Greg Huber <gregh3...@gmail.com>:
> > ...Although it blocks the <welcome-file-list> file.
> >
> > <!-- Restricts access to pure JSP files - access available only via
> Struts
> > action -->
> >     <security-constraint>
> >         <display-name>No direct JSP access</display-name>
> >         <web-resource-collection>
> >             <web-resource-name>No-JSP</web-resource-name>
> >             <url-pattern>*.jsp</url-pattern>
> >         </web-resource-collection>
> >         <auth-constraint>
> >             <role-name>no-users</role-name>
> >         </auth-constraint>
> >     </security-constraint>
> >
> >     <security-role>
> >         <description>Don't assign users to this role</description>
> >         <role-name>no-users</role-name>
> >     </security-role>
> >
> >     <welcome-file-list>
> >         <welcome-file>WEB-INF/jsps/index.jsp</welcome-file>
> >     </welcome-file-list>
> >
> > On 16 June 2017 at 08:54, Lukasz Lenart <lukaszlen...@apache.org> wrote:
> >
> >> Great! I have added a ToC and pushed to the top :)
> >>
> >> http://struts.apache.org/security/
> >>
> >>
> >> Regards
> >> --
> >> Ɓukasz
> >> + 48 606 323 122 http://www.lenart.org.pl/
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> >> For additional commands, e-mail: dev-h...@struts.apache.org
> >>
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
>
>

Reply via email to