Martin Cooper wrote: >>-----Original Message----- >>From: Eddie Bush [mailto:[EMAIL PROTECTED]] >>Sent: Friday, September 27, 2002 5:07 PM >>To: Struts Users Mailing List >>Subject: Re: taglib url problem >> >>Martin Cooper wrote: >> >>>>-----Original Message----- >>>>From: Eddie Bush [mailto:[EMAIL PROTECTED]] >>>>Sent: Friday, September 27, 2002 4:41 PM >>>>To: Struts Users Mailing List >>>>Subject: Re: taglib url problem >>>> >>>>Not to be rude, but this would be a question for >>>>[EMAIL PROTECTED] to answer. You might get >>>>lucky and hit >>>>on someone here that can tell you ... personally, I never put pages >>>>under WEB-INF - that's one practice I question. >>>> >>>Just curious - why do you question it/dislike it? >>> >>It just *feels* wrong :-/ There are times when doing things >>that way is >>necessary (you have subscriptions to certain material, >>perhaps) - I can >>see that. I just really think you could just as easily protect that >>information by a security constraint... and do without all the >>"hooplah". Isn't it just added complexity? >> >Actually, I consider it to be added simplicity. ;-) It simplifies my app >because I know that the container will prevent someone from accessing my JSP >pages directly, and there is *nothing* else I have to do to ensure this. > >Not everyone does - or can - use container-managed security. If you do, then >yes, you could set up a security constraint (which is extra work, although >admittedly minimal). If you don't, then you have to build in your own access >prevention for the JSP files themselves. > >>"But I don't want to add a security constraint and I want to be sure >>people can only access my pages through actions!" >> So ... always use actions? Tuck your files under >>something else - >>/pages or >>/nobodygonnagetmyfileswithoutgoingthroughanactionfirstdamnit_c >>uzthatsuncool >> >Bzzt! Doesn't work. ;-} Someone can still type "/pages/foo.jsp" into their >browser and access my JSP page directly, which is exactly what I want to >prevent. What's more, they can potentially bookmark such URLs and invoke my >pages in the absence of the data necessary for the successful rendering of >the page. So it looks like my site blew up. Not cool. > Yeah - and you can pluck the jsp name right out of that nifty <html:base/> tag output. ... you still put your static stuff top-side though, right? images and the like? I think you'd have to, unless you wanted to incurr the overhead of forwarding to all of them LOL
>>Wouldn't that be less complicated and have the same effect? I >>continually feel like I'm missing the point wrt this, to be >>honest. As >>I said, it just *feels* wrong. >> >I think you must be missing the point somehow. ;-) Locating your pages under >"/WEB-INF/pages" instead of "/pages" is certainly no different in terms of >complexity, and you automatically get access prevention at no additional >cost. Why not Just Do It? > Ok - that's the most sensible explaination I've heard. You used sound reasoning and you convinced me. Who can resist that Nike slogan! Seriously though, what I had seen about it before sounded like folks were having fits by doing it -- and I had no desire to have additional fits :-) seeing as how it's super-easy to set up security constraints. ... there is some trick to referencing these pages though, right? I think you sent me a URL on it - wrt forwarding or some such (from one module to another maybe). <rationalizing/> and it doesn't really do anything but change the path of your JSPs in your actions ... There's a catch-22 here isn't here? I'll play with it. -- Eddie Bush -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
