On Tue, 19 Nov 2002, David Graham wrote:
> My understanding of WebLogic is that it does not allow jsps under WEB-INF. > WebLogic is one of the 2 most popular containers so that makes this approach > non-portable. Ugh. Even in WebLogic 7? If this is really true, you can expect me to be pestering them big time about this. ;-) -- Martin Cooper > > David > > > > > > > >From: Martin Cooper <[EMAIL PROTECTED]> > >Reply-To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > >To: Struts Users Mailing List <[EMAIL PROTECTED]> > >Subject: RE: JSP's under WEB-INF... or not > >Date: Tue, 19 Nov 2002 21:54:00 -0800 (PST) > > > > > > > >On Tue, 19 Nov 2002, David Graham wrote: > > > > > You can keep your jsps in public folders and protect them with this > >security > > > rule in your web.xml file. This keeps your application portable and > > > prevents direct access to jsps. Just make sure nobody is added to the > > > "nobody" role. > > > >Just curious - why would one choose to do this instead of simply locating > >their JSP pages under WEB-INF (which is also portable)? > > > >-- > >Martin Cooper > > > > > > > > > > <security-constraint> > > > <web-resource-collection> > > > <web-resource-name>SecureAllJSPs</web-resource-name> > > > <url-pattern>*.jsp</url-pattern> > > > </web-resource-collection> > > > > > > <auth-constraint> > > > <description> > > > No roles should be able to access a JSP directly. >Everyone > > > must go through the controller servlet. > > > </description> > > > <role-name>nobody</role-name> > > > </auth-constraint> > > > </security-constraint> > > > > > > <security-role> > > > <description> > > > Nobody should be in this role so jsp files are protected > > > from direct access. > > > </description> > > > <role-name>nobody</role-name> > > > </security-role> > > > > > > > > > > > > > > > > > > > > > >From: "edgar" <[EMAIL PROTECTED]> > > > >Reply-To: <[EMAIL PROTECTED]> > > > >To: "'Struts Users Mailing List'" <[EMAIL PROTECTED]> > > > >Subject: RE: JSP's under WEB-INF... or not > > > >Date: Tue, 19 Nov 2002 18:42:52 -0500 > > > > > > > >The only reason with struts to put the jsp's under the web-inf is to > > > >guarantee that your actions are executed in the expected manner. If > >you > > > >leave the jsp's in a public directory then it is possible to execute > > > >them out of sequence or without the proper form load / unload since the > > > >web server will just as happily give out the jsp as the action in a > > > >public directory. > > > > > > > >The style sheets and images were not supposed to be moved to the > >web-inf > > > >directory. Perhaps that was the source of your problem. Since tiles > >is > > > >driven by the struts action controller it will not be a problem in the > > > >web-inf directory. > > > > > > > >Hope this helps > > > > > > > >Edgar > > > > > > > >-----Original Message----- > > > >From: Wendy Smoak [mailto:[EMAIL PROTECTED]] > > > >Sent: Tuesday, November 19, 2002 5:41 PM > > > >To: 'Struts Users Mailing List' > > > >Subject: JSP's under WEB-INF... or not > > > > > > > > > > > > > > > >Having the jsp files under WEB-INF is nice because I know no one can > >get > > > >to them without going through an action. But it already caused one > > > >problem with my style sheet and the images within it. > > > > > > > >Now I'm about to add tiles to the mix, and I wonder if I'm going to > > > >unnecessarily complicate my life by having my jsp's where they don't > > > >"officially" belong. > > > > > > > >I'm wondering if I can get the same effect by putting them in > > > >/path/to/tomcat/webapps/my_app/private and then putting a Filter in > > > >front of just that directory to keep people from requesting those pages > > > >directly. > > > > > > > >Any comments? Other ideas? > > > > > > > >-- > > > >Wendy Smoak > > > >Applications Systems Analyst, Sr. > > > >Arizona State University PA Information Resources Management > > > > > > > > > > > >-- > > > >To unsubscribe, e-mail: > > > ><mailto:[EMAIL PROTECTED]> > > > >For additional commands, e-mail: > > > ><mailto:[EMAIL PROTECTED]> > > > > > > > > > _________________________________________________________________ > > > Add photos to your e-mail with MSN 8. Get 2 months FREE*. > > > http://join.msn.com/?page=features/featuredemail > > > > > > > > > -- > > > To unsubscribe, e-mail: > ><mailto:[EMAIL PROTECTED]> > > > For additional commands, e-mail: > ><mailto:[EMAIL PROTECTED]> > > > > > > > > > > > >-- > >To unsubscribe, e-mail: > ><mailto:[EMAIL PROTECTED]> > >For additional commands, e-mail: > ><mailto:[EMAIL PROTECTED]> > > > _________________________________________________________________ > Help STOP SPAM with the new MSN 8 and get 2 months FREE* > http://join.msn.com/?page=features/junkmail > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
