Hi,
my initial observations suggest, and SO post [1] seems to confirm, that when
CONFIDENTIAL
is specified on a security-constraint in web.xml, Tomcat does two things:
1. automatically redirects to HTTPS
2. appends Cache-Control: private and Expires: Thu, 01 Jan
Hi Martynas,
On 16.08.2018 14:40, Martynas Jusevičius wrote:
Hi,
my initial observations suggest, and SO post [1] seems to confirm, that when
CONFIDENTIAL
is specified on a security-constraint in web.xml, Tomcat does two things:
1. automatically redirects to
Due to security concerns and general fussiness on my part, I'd like to prevent
users from requesting JSP pages directly, except for the login page. I want
all requests to be handled by servlets. That way I can legitimately claim that
all requests are being validated, input scrubbed, JSP's
I'll be curious to see the answers.
JSPs are servlets.
For us, the common way would be for your non-JSP servlets to
authenticate the request (and save the results in the request), and then
your JSPs can check if the request has been authenticated before
progressing further. Of course, if
Maybe I'm not fully understanding the request but can't you create a Security
Folder and list out only the JSPs that you want to allow the users access to?
My application is a third party application so I didn't develop it but they use
a folder that has a list of .jsps that I can access so I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Cris,
On 8/16/18 1:19 PM, Berneburg, Cris J. - US wrote:
> Due to security concerns and general fussiness on my part, I'd
> like to prevent users from requesting JSP pages directly, except
> for the login page.
Why except for the login page? I
There's another considerable option:
c. Implement a servlet filter which is mapped to /* with dispatcher
options: REQUEST, INCLUDE, FORWARD. The filter may check the request
URI or include/forward URI (through request attributes).
Regards,
Woonsan
On Thu, Aug 16, 2018 at 1:19 PM, Berneburg,
