On Tue, 19 Nov 2002, David Graham wrote:
> You can keep your jsps in public folders and protect them with this security > rule in your web.xml file. This keeps your application portable and > prevents direct access to jsps. Just make sure nobody is added to the > "nobody" role. Just curious - why would one choose to do this instead of simply locating their JSP pages under WEB-INF (which is also portable)? -- Martin Cooper > > <security-constraint> > <web-resource-collection> > <web-resource-name>SecureAllJSPs</web-resource-name> > <url-pattern>*.jsp</url-pattern> > </web-resource-collection> > > <auth-constraint> > <description> > No roles should be able to access a JSP directly. >Everyone > must go through the controller servlet. > </description> > <role-name>nobody</role-name> > </auth-constraint> > </security-constraint> > > <security-role> > <description> > Nobody should be in this role so jsp files are protected > from direct access. > </description> > <role-name>nobody</role-name> > </security-role> > > > > > > > >From: "edgar" <[EMAIL PROTECTED]> > >Reply-To: <[EMAIL PROTECTED]> > >To: "'Struts Users Mailing List'" <[EMAIL PROTECTED]> > >Subject: RE: JSP's under WEB-INF... or not > >Date: Tue, 19 Nov 2002 18:42:52 -0500 > > > >The only reason with struts to put the jsp's under the web-inf is to > >guarantee that your actions are executed in the expected manner. If you > >leave the jsp's in a public directory then it is possible to execute > >them out of sequence or without the proper form load / unload since the > >web server will just as happily give out the jsp as the action in a > >public directory. > > > >The style sheets and images were not supposed to be moved to the web-inf > >directory. Perhaps that was the source of your problem. Since tiles is > >driven by the struts action controller it will not be a problem in the > >web-inf directory. > > > >Hope this helps > > > >Edgar > > > >-----Original Message----- > >From: Wendy Smoak [mailto:[EMAIL PROTECTED]] > >Sent: Tuesday, November 19, 2002 5:41 PM > >To: 'Struts Users Mailing List' > >Subject: JSP's under WEB-INF... or not > > > > > > > >Having the jsp files under WEB-INF is nice because I know no one can get > >to them without going through an action. But it already caused one > >problem with my style sheet and the images within it. > > > >Now I'm about to add tiles to the mix, and I wonder if I'm going to > >unnecessarily complicate my life by having my jsp's where they don't > >"officially" belong. > > > >I'm wondering if I can get the same effect by putting them in > >/path/to/tomcat/webapps/my_app/private and then putting a Filter in > >front of just that directory to keep people from requesting those pages > >directly. > > > >Any comments? Other ideas? > > > >-- > >Wendy Smoak > >Applications Systems Analyst, Sr. > >Arizona State University PA Information Resources Management > > > > > >-- > >To unsubscribe, e-mail: > ><mailto:[EMAIL PROTECTED]> > >For additional commands, e-mail: > ><mailto:[EMAIL PROTECTED]> > > > _________________________________________________________________ > Add photos to your e-mail with MSN 8. Get 2 months FREE*. > http://join.msn.com/?page=features/featuredemail > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
