As long as the compiled class are in a different directory (ie
/JRun/jsm-default/services/jse/servlets/jsp), I think you could try to set
your access restrictions in this directory.
I've never heard of AuthentiX, but maybe the problem could be that the
"invalid" message includes the original page, rather than redirect
(intercept) the request.
Sylvain
-----Message d'origine-----
De : Dave Ferguson <[EMAIL PROTECTED]>
� : [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date : lundi 16 ao�t 1999 23:01
Objet : Using web server to restrict JSP access
>We're running IIS 4.0 on NT and using JRun 2.3 as our JSP/servlet engine.
I have a set of JSP's that I'm using in a "Model 1" configuration. I need
to restrict access to these JSP's, so my thinking was just to use the
authentication control options in the IIS web server.
>
>Unfortunately, no matter what kind of restrictions I set up, the JSP's
display normally. This is true even when I deny annonymous access. In
contrast to JSP's, pure HTML files are restricted correctly. I also tried
setting up IIS to deny access to the JSP files for all but certain IP
addresses. Again, these restrictions were ignored and the JSP's displayed
normally.
>
>It seems as though JRun (an ISAPI "plug-in") is circumventing the
restrictions placed on a resource by the web server. This is my guess as to
what's happening: JRun intercepts the http request before IIS restrictions
are processed. It sees the ".jsp" extension on the resource requested, runs
the generated servlet, and pushes the HTML back to the web server. The web
server then sends the response to the requesting client, no questions asked.
>
>Anyone have any experience or have any ideas how to make this work? I
realize that I could build the username/password functionality into the
JSP's themselves, but it seems like a bad use of time and resources for
something a web server is designed to do. It just makes more sense to do it
from the web server for our situation.
>
>Thanks,
>Dave F.
>
>P.S. We also tried to set up username/password access to the JSP's using a
3rd party tool called "AuthentiX". The result was amusing. When an invalid
UN/PW was entered, the "invalid" message was shown properly, but right below
that the restricted JSP was displayed! I guess strange things happen when
two ISAPI products don't work together.....
>
>===========================================================================
>To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
>of the message "signoff JSP-INTEREST". For general help, send email to
>[EMAIL PROTECTED] and include in the body of the message "help".
>For JSP FAQ, http://www.esperanto.org.nz/jsp/jspfaq.html
>
>
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff JSP-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
For JSP FAQ, http://www.esperanto.org.nz/jsp/jspfaq.html
