Hans: Thanks for the clarification.
----- Original Message -----
From: "Hans Bergsten" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, August 30, 2001 11:02 AM
Subject: Re: controller and security
> wilson tan wrote:
> >
> > Does anyone have a sample generic controller (MVC model) in either JSP
or
> > servlet - to be used for controlling JSP redirection and security? Hans
> > Bergsten's sample PBController etc does not claim that it will fulfill
the
> > security requirements one needs.
>
> Maybe I'm not clear in the book. It seems like you have misunderstood
> what I say about the Controller servlet.
>
> What I describe in the book is that you should make it impossible to
access
> a JSP page directly (as opposed to through the Controller) if the JSP page
> contains information that must be protected. As I also say in the book,
it's
> pretty rare that a JSP page that is used together with a Controller
contains
> sensitive info by itself, since the sensitive data is typically made
> available by the Controller. Hence, if a user accesses the JSP page
directly
> it doesn't contain any sensitive information at all.
>
> But if it does contain sensitive data, you can make it impossible to
> access the page directly in at least two ways: define a security
constraint
> for the JSP pages with a role that no user is assigned to, or put all JSP
> pages under WEB-INF. I describe the first approach in the book (Chapter
14).
> Placing the JSP pages under the WEB-INF directory should also work,
> since a web container is not allowed to serve files under this directory
> directly to a browser, while a servlet should be allowed to forward to
> pages located there.
>
> This is something to be aware of for all Controller implementations
> based on Servlet 2.2, not just the ones described in my book. The
> reason is that it's not possible to configure a Servlet 2.2 container
> to let a servlet process a request and then let the servlet forward
> to a JSP page without going through some tricks with the URI name space.
> For instance, if you map the Controller servlet to "/*" and try to
> forward to "/foo/bar.jsp", the Controller will be invoked again and
> you end up with an endless loop. You must map the Controller either to
> a virtual path, such as "/ctr/*" or special extension such as "*.do".
> And with this type of mapping, a user can access a JSP at "/foo/bar.jsp"
> directly unless you protect it with a security constraint as described
> above.
>
> If this is still confusing, please read Chapter 14 in my book for
> more details:
>
> <http://TheJSPBook.com/>
>
> Hans
> --
> Hans Bergsten [EMAIL PROTECTED]
> Gefion Software http://www.gefionsoftware.com
> Author of JavaServer Pages (O'Reilly), http://TheJSPBook.com
>
>
===========================================================================
> To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
JSP-INTEREST".
> For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
DIGEST".
> Some relevant FAQs on JSP/Servlets can be found at:
>
> http://java.sun.com/products/jsp/faq.html
> http://www.esperanto.org.nz/jsp/jspfaq.html
> http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
> http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
>
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
