Maybe you could try having your JSP engine run as a different user (perhaps
an anonymous user, the same as your default anonymous web user) and see if
that stops the engine from being able to retreive and parse the html file...
I don't know if that would work but it's worth a try :)
-----Original Message-----
From: Dave Ferguson [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 17, 1999 7:57 AM
To: [EMAIL PROTECTED]
Subject: Using web server to restrict JSP access
We're running IIS 4.0 on NT and using JRun 2.3 as our JSP/servlet engine. I
have a set of JSP's that I'm using in a "Model 1" configuration. I need to
restrict access to these JSP's, so my thinking was just to use the
authentication control options in the IIS web server.
Unfortunately, no matter what kind of restrictions I set up, the JSP's
display normally. This is true even when I deny annonymous access. In
contrast to JSP's, pure HTML files are restricted correctly. I also tried
setting up IIS to deny access to the JSP files for all but certain IP
addresses. Again, these restrictions were ignored and the JSP's displayed
normally.
It seems as though JRun (an ISAPI "plug-in") is circumventing the
restrictions placed on a resource by the web server. This is my guess as to
what's happening: JRun intercepts the http request before IIS restrictions
are processed. It sees the ".jsp" extension on the resource requested, runs
the generated servlet, and pushes the HTML back to the web server. The web
server then sends the response to the requesting client, no questions asked.
Anyone have any experience or have any ideas how to make this work? I
realize that I could build the username/password functionality into the
JSP's themselves, but it seems like a bad use of time and resources for
something a web server is designed to do. It just makes more sense to do it
from the web server for our situation.
Thanks,
Dave F.
P.S. We also tried to set up username/password access to the JSP's using a
3rd party tool called "AuthentiX". The result was amusing. When an invalid
UN/PW was entered, the "invalid" message was shown properly, but right below
that the restricted JSP was displayed! I guess strange things happen when
two ISAPI products don't work together.....
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff JSP-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
For JSP FAQ, http://www.esperanto.org.nz/jsp/jspfaq.html
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff JSP-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
For JSP FAQ, http://www.esperanto.org.nz/jsp/jspfaq.html
