Hi, Shouldn't this work for tomcat too ? I am trying to lock-down some JSP's using the same procedure with an empty auth-constraint.
But http://localhost/x/y.jsp still shows the JSP. Thanks, Mohan -----Original Message----- From: Kris Schneider [mailto:[EMAIL PROTECTED]] Sent: Monday, January 13, 2003 11:55 PM To: Struts Users Mailing List Subject: RE: Controlling Direct Access to jsp pages Here's an approach that works with WebLogic 7. All the JSP's except index.jsp (the welcome page) are kept in a directory called pages. index.jsp simply contains: <%@ taglib prefix="logic" uri="http://jakarta.apache.org/struts/tags-logic"; %> <logic:forward name="main"/> Where "main" is the name of a global forward that represents the true entry point into the app. web.xml contains: <security-constraint> <web-resource-collection> <web-resource-name>Pages</web-resource-name> <url-pattern>/pages/*</url-pattern> </web-resource-collection> <auth-constraint></auth-constraint> </security-constraint> An empty auth-constraint is interpreted to mean deny all access. Quoting "Colquhoun, Adrian" <[EMAIL PROTECTED]>: > > I have had a go at this - I get a 500 error message "Cannot perform access > control without an authenticated principal" - presumably I need to do > something else as well ? > > > -----Original Message----- > From: David Graham [mailto:[EMAIL PROTECTED]] > Sent: 13 January 2003 15:54 > To: [EMAIL PROTECTED] > Subject: Re: Controlling Direct Access to jsp pages > > > Put this security info at the bottom of your web.xml to prevent access to > any *.jsp file: > > <security-constraint> > <web-resource-collection> > <web-resource-name>SecureAllJSPs</web-resource-name> > <url-pattern>*.jsp</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>nobody</role-name> > </auth-constraint> > </security-constraint> > > <security-role> > <description>No one should be put in this > role.</description> > <role-name>nobody</role-name> > </security-role> > > > David > > > > > > > >From: "Colquhoun, Adrian" <[EMAIL PROTECTED]> > >Reply-To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > >To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > >Subject: Controlling Direct Access to jsp pages > >Date: Mon, 13 Jan 2003 15:40:45 -0000 > > > > > >Hi > > > >If I have three pages in my view layer that must be called in sequence > e.g. > > > > - step1.jsp then > > - step2.jsp then > > - step3.jsp > > > > How do I ensure that my users do not call step2 and step3 directly via a > >web browser. Do I need to use a custom tag in pages 2 and 3 to check this > >or is there some way to force all requests for .jsp pages in my > application > >to route via the ActionServlet > > > >Thanks > > > >Adrian > > > > > >======================================================================= > >Information in this email and any attachments are confidential, and may > >not be copied or used by anyone other than the addressee, nor disclosed > >to any third party without our permission. There is no intention to > >create any legally binding contract or other commitment through the use > >of this email. > > > >Experian Limited (registration number 653331). > >Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF > > > >-- > >To unsubscribe, e-mail: > ><mailto:[EMAIL PROTECTED]> > >For additional commands, e-mail: > ><mailto:[EMAIL PROTECTED]> > > > _________________________________________________________________ > MSN 8 helps eliminate e-mail viruses. Get 2 months FREE* > http://join.msn.com/?page=features/virus > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > > ======================================================================= > Information in this email and any attachments are confidential, and may > not be copied or used by anyone other than the addressee, nor disclosed > to any third party without our permission. There is no intention to > create any legally binding contract or other commitment through the use > of this email. > > Experian Limited (registration number 653331). > Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > -- Kris Schneider <mailto:[EMAIL PROTECTED]> D.O.Tech <http://www.dotech.com/> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
