wilson tan wrote:
>
> Does anyone have a sample generic controller (MVC model) in either JSP or
> servlet - to be used for controlling JSP redirection and security? Hans
> Bergsten's sample PBController etc does not claim that it will fulfill the
> security requirements one needs.
Maybe I'm not clear in the book. It seems like you have misunderstood
what I say about the Controller servlet.
What I describe in the book is that you should make it impossible to access
a JSP page directly (as opposed to through the Controller) if the JSP page
contains information that must be protected. As I also say in the book, it's
pretty rare that a JSP page that is used together with a Controller contains
sensitive info by itself, since the sensitive data is typically made
available by the Controller. Hence, if a user accesses the JSP page directly
it doesn't contain any sensitive information at all.
But if it does contain sensitive data, you can make it impossible to
access the page directly in at least two ways: define a security constraint
for the JSP pages with a role that no user is assigned to, or put all JSP
pages under WEB-INF. I describe the first approach in the book (Chapter 14).
Placing the JSP pages under the WEB-INF directory should also work,
since a web container is not allowed to serve files under this directory
directly to a browser, while a servlet should be allowed to forward to
pages located there.
This is something to be aware of for all Controller implementations
based on Servlet 2.2, not just the ones described in my book. The
reason is that it's not possible to configure a Servlet 2.2 container
to let a servlet process a request and then let the servlet forward
to a JSP page without going through some tricks with the URI name space.
For instance, if you map the Controller servlet to "/*" and try to
forward to "/foo/bar.jsp", the Controller will be invoked again and
you end up with an endless loop. You must map the Controller either to
a virtual path, such as "/ctr/*" or special extension such as "*.do".
And with this type of mapping, a user can access a JSP at "/foo/bar.jsp"
directly unless you protect it with a security constraint as described
above.
If this is still confusing, please read Chapter 14 in my book for
more details:
<http://TheJSPBook.com/>
Hans
--
Hans Bergsten [EMAIL PROTECTED]
Gefion Software http://www.gefionsoftware.com
Author of JavaServer Pages (O'Reilly), http://TheJSPBook.com
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
