Instead of <url-pattern>/pages/*</url-pattern> can I have something like the
following?
<security-constraint>
<web-resource-collection>
<web-resource-name>Pages</web-resource-name>
<url-pattern>/app1/*</url-pattern>
<url-pattern>/app2/*</url-pattern>
<url-pattern>/app3/*</url-pattern>
<url-pattern>/app4/*</url-pattern>
</web-resource-collection>
<auth-constraint></auth-constraint>
</security-constraint>
-----Original Message-----
From: Kris Schneider [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 13, 2003 12:25 PM
To: Struts Users Mailing List
Subject: RE: Controlling Direct Access to jsp pages
Here's an approach that works with WebLogic 7. All the JSP's except
index.jsp
(the welcome page) are kept in a directory called pages. index.jsp simply
contains:
<%@ taglib prefix="logic" uri="http://jakarta.apache.org/struts/tags-logic";
%>
<logic:forward name="main"/>
Where "main" is the name of a global forward that represents the true entry
point into the app. web.xml contains:
<security-constraint>
<web-resource-collection>
<web-resource-name>Pages</web-resource-name>
<url-pattern>/pages/*</url-pattern>
</web-resource-collection>
<auth-constraint></auth-constraint>
</security-constraint>
An empty auth-constraint is interpreted to mean deny all access.
Quoting "Colquhoun, Adrian" <[EMAIL PROTECTED]>:
>
> I have had a go at this - I get a 500 error message "Cannot perform access
> control without an authenticated principal" - presumably I need to do
> something else as well ?
>
>
> -----Original Message-----
> From: David Graham [mailto:[EMAIL PROTECTED]]
> Sent: 13 January 2003 15:54
> To: [EMAIL PROTECTED]
> Subject: Re: Controlling Direct Access to jsp pages
>
>
> Put this security info at the bottom of your web.xml to prevent access to
> any *.jsp file:
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>SecureAllJSPs</web-resource-name>
> <url-pattern>*.jsp</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>nobody</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-role>
> <description>No one should be put in this
> role.</description>
> <role-name>nobody</role-name>
> </security-role>
>
>
> David
>
>
>
>
>
>
> >From: "Colquhoun, Adrian" <[EMAIL PROTECTED]>
> >Reply-To: "Struts Users Mailing List" <[EMAIL PROTECTED]>
> >To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> >Subject: Controlling Direct Access to jsp pages
> >Date: Mon, 13 Jan 2003 15:40:45 -0000
> >
> >
> >Hi
> >
> >If I have three pages in my view layer that must be called in sequence
> e.g.
> >
> > - step1.jsp then
> > - step2.jsp then
> > - step3.jsp
> >
> > How do I ensure that my users do not call step2 and step3 directly via
a
> >web browser. Do I need to use a custom tag in pages 2 and 3 to check
this
> >or is there some way to force all requests for .jsp pages in my
> application
> >to route via the ActionServlet
> >
> >Thanks
> >
> >Adrian
> >
> >
> >=======================================================================
> >Information in this email and any attachments are confidential, and may
> >not be copied or used by anyone other than the addressee, nor disclosed
> >to any third party without our permission. There is no intention to
> >create any legally binding contract or other commitment through the use
> >of this email.
> >
> >Experian Limited (registration number 653331).
> >Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF
> >
> >--
> >To unsubscribe, e-mail:
> ><mailto:[EMAIL PROTECTED]>
> >For additional commands, e-mail:
> ><mailto:[EMAIL PROTECTED]>
>
>
> _________________________________________________________________
> MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*
> http://join.msn.com/?page=features/virus
>
>
> --
> To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
>
>
> =======================================================================
> Information in this email and any attachments are confidential, and may
> not be copied or used by anyone other than the addressee, nor disclosed
> to any third party without our permission. There is no intention to
> create any legally binding contract or other commitment through the use
> of this email.
>
> Experian Limited (registration number 653331).
> Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF
>
> --
> To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
>
--
Kris Schneider <mailto:[EMAIL PROTECTED]>
D.O.Tech <http://www.dotech.com/>
--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
_________________________________________________________________________
Introducing the all new and improved continental.com. With a totally new
personalized design, it's the best place to go. Before you go.
Continental Airlines. Work Hard. Fly Right.
http://www.continental.com
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
