It should work, just differently. TC will return a 500 "Configuration error: Cannot perform access control without an authenticated principal". Whereas WLS7 will return a 403 "Forbidden". What does the <security-constraint> element in your web.xml look like? With TC, however, it's easier just to locate the pages somewhere under WEB-INF and forget about the security-constraint. Personally, I'd prefer to do it that way, it's just that my apps have to run under WLS7 when they get released.
Quoting Mohan Radhakrishnan <[EMAIL PROTECTED]>: > Hi, > Shouldn't this work for tomcat too ? I am trying to lock-down some JSP's > using the same procedure with an empty auth-constraint. > > But http://localhost/x/y.jsp > > still shows the JSP. > > Thanks, > Mohan > > -----Original Message----- > From: Kris Schneider [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 13, 2003 11:55 PM > To: Struts Users Mailing List > Subject: RE: Controlling Direct Access to jsp pages > > > Here's an approach that works with WebLogic 7. All the JSP's except > index.jsp > (the welcome page) are kept in a directory called pages. index.jsp simply > contains: > > <%@ taglib prefix="logic" uri="http://jakarta.apache.org/struts/tags-logic"; > %> > <logic:forward name="main"/> > > Where "main" is the name of a global forward that represents the true entry > point into the app. web.xml contains: > > <security-constraint> > <web-resource-collection> > <web-resource-name>Pages</web-resource-name> > <url-pattern>/pages/*</url-pattern> > </web-resource-collection> > <auth-constraint></auth-constraint> > </security-constraint> > > An empty auth-constraint is interpreted to mean deny all access. > > Quoting "Colquhoun, Adrian" <[EMAIL PROTECTED]>: > > > > > I have had a go at this - I get a 500 error message "Cannot perform > access > > control without an authenticated principal" - presumably I need to do > > something else as well ? > > > > > > -----Original Message----- > > From: David Graham [mailto:[EMAIL PROTECTED]] > > Sent: 13 January 2003 15:54 > > To: [EMAIL PROTECTED] > > Subject: Re: Controlling Direct Access to jsp pages > > > > > > Put this security info at the bottom of your web.xml to prevent access to > > > any *.jsp file: > > > > <security-constraint> > > <web-resource-collection> > > <web-resource-name>SecureAllJSPs</web-resource-name> > > <url-pattern>*.jsp</url-pattern> > > </web-resource-collection> > > <auth-constraint> > > <role-name>nobody</role-name> > > </auth-constraint> > > </security-constraint> > > > > <security-role> > > <description>No one should be put in this > > role.</description> > > <role-name>nobody</role-name> > > </security-role> > > > > > > David > > > > > > > > > > > > > > >From: "Colquhoun, Adrian" <[EMAIL PROTECTED]> > > >Reply-To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > > >To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > > >Subject: Controlling Direct Access to jsp pages > > >Date: Mon, 13 Jan 2003 15:40:45 -0000 > > > > > > > > >Hi > > > > > >If I have three pages in my view layer that must be called in sequence > > e.g. > > > > > > - step1.jsp then > > > - step2.jsp then > > > - step3.jsp > > > > > > How do I ensure that my users do not call step2 and step3 directly via > a > > >web browser. Do I need to use a custom tag in pages 2 and 3 to check > this > > >or is there some way to force all requests for .jsp pages in my > > application > > >to route via the ActionServlet > > > > > >Thanks > > > > > >Adrian > > > > > > > > >======================================================================= > > >Information in this email and any attachments are confidential, and may > > >not be copied or used by anyone other than the addressee, nor disclosed > > >to any third party without our permission. There is no intention to > > >create any legally binding contract or other commitment through the use > > >of this email. > > > > > >Experian Limited (registration number 653331). > > >Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF > > > > > >-- > > >To unsubscribe, e-mail: > > ><mailto:[EMAIL PROTECTED]> > > >For additional commands, e-mail: > > ><mailto:[EMAIL PROTECTED]> > > > > > > _________________________________________________________________ > > MSN 8 helps eliminate e-mail viruses. Get 2 months FREE* > > http://join.msn.com/?page=features/virus > > > > > > -- > > To unsubscribe, e-mail: > > <mailto:[EMAIL PROTECTED]> > > For additional commands, e-mail: > > <mailto:[EMAIL PROTECTED]> > > > > > > ======================================================================= > > Information in this email and any attachments are confidential, and may > > not be copied or used by anyone other than the addressee, nor disclosed > > to any third party without our permission. There is no intention to > > create any legally binding contract or other commitment through the use > > of this email. > > > > Experian Limited (registration number 653331). > > Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF > > > > -- > > To unsubscribe, e-mail: > > <mailto:[EMAIL PROTECTED]> > > For additional commands, e-mail: > > <mailto:[EMAIL PROTECTED]> > > > > > -- > Kris Schneider <mailto:[EMAIL PROTECTED]> > D.O.Tech <http://www.dotech.com/> > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > -- Kris Schneider <mailto:[EMAIL PROTECTED]> D.O.Tech <http://www.dotech.com/> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
