Dave,
I believe this was once brought up on the Live Software newsgroup. I had a
similar problem with JRun and servlets. I do believe that it has something
to do with running the ISAPI filter jrun.dll as a global filter. I'd go to
Allaire (where Live Software now resides) and start poking around.
-- chris --
> -----Original Message-----
> From: A mailing list about Java Server Pages specification and reference
> [mailto:[EMAIL PROTECTED]]On Behalf Of Dave Ferguson
> Sent: Monday, August 16, 1999 4:57 PM
> To: [EMAIL PROTECTED]
> Subject: Using web server to restrict JSP access
>
>
> We're running IIS 4.0 on NT and using JRun 2.3 as our JSP/servlet
> engine. I have a set of JSP's that I'm using in a "Model 1"
> configuration. I need to restrict access to these JSP's, so my
> thinking was just to use the authentication control options in
> the IIS web server.
>
> Unfortunately, no matter what kind of restrictions I set up, the
> JSP's display normally. This is true even when I deny annonymous
> access. In contrast to JSP's, pure HTML files are restricted
> correctly. I also tried setting up IIS to deny access to the JSP
> files for all but certain IP addresses. Again, these
> restrictions were ignored and the JSP's displayed normally.
>
> It seems as though JRun (an ISAPI "plug-in") is circumventing the
> restrictions placed on a resource by the web server. This is my
> guess as to what's happening: JRun intercepts the http request
> before IIS restrictions are processed. It sees the ".jsp"
> extension on the resource requested, runs the generated servlet,
> and pushes the HTML back to the web server. The web server then
> sends the response to the requesting client, no questions asked.
>
> Anyone have any experience or have any ideas how to make this
> work? I realize that I could build the username/password
> functionality into the JSP's themselves, but it seems like a bad
> use of time and resources for something a web server is designed
> to do.. It just makes more sense to do it from the web server
> for our situation.
>
> Thanks,
> Dave F.
>
> P.S. We also tried to set up username/password access to the
> JSP's using a 3rd party tool called "AuthentiX". The result was
> amusing. When an invalid UN/PW was entered, the "invalid"
> message was shown properly, but right below that the restricted
> JSP was displayed! I guess strange things happen when two ISAPI
> products don't work together.....
>
> ==================================================================
> =========
> To unsubscribe, send email to [EMAIL PROTECTED] and include
> in the body
> of the message "signoff JSP-INTEREST". For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".
> For JSP FAQ, http://www.esperanto.org.nz/jsp/jspfaq.html
>
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff JSP-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
For JSP FAQ, http://www.esperanto.org.nz/jsp/jspfaq.html
