Re: Restricting direct access of jsp's

Tue, 10 Sep 2002 00:07:54 -0700

Title: RE: Restricting direct access of jsp's

Guys;
I think I read something about putting JSPs under web-inf/ so clients could not explicitly access invoke them.
Is that an option/?

-----Original Message-----
From: Dror Matalon [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 09, 2002 7:34 PM
To: [EMAIL PROTECTED]
Subject: Re: Restricting direct access of jsp's


Hi,

If you're using a 2.3 containter, the best way to do this is to use a
filter. Something like this:

  <filter>
    <filter-name>controller</filter-name>
    <filter-class>com.zapatec.filter.Controller</filter-class>
  </filter>


  <filter-mapping>
    <filter-name>controller</filter-name>
    <url-pattern>*.jsp</url-pattern>
  </filter-mapping>

You can then use your existing controller using the same mechanism as
you do for the rest of your project.


On Mon, Sep 09, 2002 at 12:00:58PM +0530, S Srinivas Nayak wrote:
> Hi Rahul,
>
> Yes this can be done by setting a variable at the servlet(controller servlet) and verifying the same in the jsp.
> Also by checking the referer value from which page the user is comming from it will be null if he is entering the jsp directly.

>
> Hope this was useful.
>
> Srinivas
>
>
>
>
>
>   ----- Original Message -----
>   From: Rahul
>   To: [EMAIL PROTECTED]
>   Sent: Monday, September 09, 2002 11:35 AM
>   Subject: Restricting direct access of jsp's
>
>
>   Hi,
>
>   We are using MVC architecture in our project with j2ee 1.2.
>   We have a Front Controller which is the only access points for various modules.
>   This front controller performs all the authentication and authorization checks.
>   If the user is authorized it gives access to the requested resource (lets say a jsp).
>
>   Since there are no authentication/authorization checks in the jsp, anybody who somehow comes to know of the url of a jsp can access the jsp.

>
>   Is there anyway (preferably declarative) to make the jsp's inaccessible when accessed directly.
>   They should ofcourse still work when request is forwarded from the controller servlet.
>
>
>   Thanks & Regards
>   Rahul

--
Dror Matalon
Zapatec Inc
1700 MLK Way
Berkeley, CA 94709
http://www.zapatec.com

___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".

Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html

Reply via email to