Hi Scott,
I thought I had seen some way of specifying so in the security part of
the JSDK2.2 spec but I don't seem to find it now. SO I might have seen
it in a container specific implementation and got confused. However, one
approach you might want to try is to use a request Attribute as a "flag"
to make sure the request went first through the controller servlet. Set
this attribute to some value in your controller servlet
(request.setAttribute("controlled",new Boolean("true"))) and then check
at the beginning of each "hidden" JSP that you have this specific
attribute set to true ((Boolean)request.getAttribute("controlled")) if
the attribute is not there, then redirect/forward to a blank/error page.
As the attributes cannot be set by the client request(they just set
request parameters) then you are relatively safe.
That's a good use for a very simple taglib ;).
You would have to add this taglib to all the JSPs you want to protect
but this might turn into an advantage as you will be able to choose
which JSPs are protected and which not.
I hope this help,
Dan
-------------------------------------------
Daniel Lopez Janariz ([EMAIL PROTECTED])
Web Services
Computer Center
Balearic Islands University
-------------------------------------------
------------------------------
Date: Tue, 13 Jun 2000 14:56:02 +0200
From: Scott Evans <[EMAIL PROTECTED]>
Subject: Re: JSP mapping to my own servlet?
Hi Daniel,
You wrote:
"And if you got paranoid you could even protect your
JSPs
from being accesed directly by
disallowing any other hosts to access /whatever/*.jsp
but
your local host."
How can I do that? Is it container specific?
I've also written my own model 2 security mechanism provided by the
controller servlet - everything works great, but I don't know how to
stop
users from invoking my jsp's directly.
For example, if an application link is:
/servletMapName/doLogin
how can I protect against a user directly accessing a page via its file
system location, such as:
/jsp/login.jsp ?
Thanks,
Scott
-----Original Message-----
From: Daniel Lopez [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 13, 2000 12:16 PM
To: [EMAIL PROTECTED]
Subject: Re: JSP mapping to my own servlet?
Hi Kevin,
I've done pretty much what you are asking for in our
WebLeaf
framework,
so I'll add my own comments intermixed ;).
------------------------------
<snipped for brevity's sake>
------------------------------
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
