We're running IIS 4.0 on NT and using JRun 2.3 as our JSP/servlet engine. I have a
set of JSP's that I'm using in a "Model 1" configuration. I need to restrict access
to these JSP's, so my thinking was just to use the authentication control options in
the IIS web server.
Unfortunately, no matter what kind of restrictions I set up, the JSP's display
normally. This is true even when I deny annonymous access. In contrast to JSP's,
pure HTML files are restricted correctly. I also tried setting up IIS to deny access
to the JSP files for all but certain IP addresses. Again, these restrictions were
ignored and the JSP's displayed normally.
It seems as though JRun (an ISAPI "plug-in") is circumventing the restrictions placed
on a resource by the web server. This is my guess as to what's happening: JRun
intercepts the http request before IIS restrictions are processed. It sees the ".jsp"
extension on the resource requested, runs the generated servlet, and pushes the HTML
back to the web server. The web server then sends the response to the requesting
client, no questions asked.
Anyone have any experience or have any ideas how to make this work? I realize that I
could build the username/password functionality into the JSP's themselves, but it
seems like a bad use of time and resources for something a web server is designed to
do. It just makes more sense to do it from the web server for our situation.
Thanks,
Dave F.
P.S. We also tried to set up username/password access to the JSP's using a 3rd party
tool called "AuthentiX". The result was amusing. When an invalid UN/PW was entered,
the "invalid" message was shown properly, but right below that the restricted JSP was
displayed! I guess strange things happen when two ISAPI products don't work
together.....
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff JSP-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
For JSP FAQ, http://www.esperanto.org.nz/jsp/jspfaq.html
