The two approaches that work for me are:
1). All JSPs (except maybe a welcome page) in a subdirectory of WEB-INF (not all
containers support this).
2). All JSPs (except maybe a welcome page) in a subdirectory of the app root and
the following <security-constraint>:
<security-constraint>
<web-resource-collection>
<web-resource-name>Pages</web-resource-name>
<url-pattern>/pages/*</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
Personally, I'd stay away from trying to mess with the "*.jsp" url-pattern since
it's near and dear to your container's heart. As for the welcome page, I usually
have an index.jsp that just has something like:
<%@ taglib prefix="logic"
uri="http://jakarta.apache.org/struts/tags-logic"; %>
<logic:forward name="welcome"/>
Quoting Takfung Chan <[EMAIL PROTECTED]>:
> I tried this within my WSAD 4.0.3 test environment, it doesn't work, no
> any effect to any jsp files.
>
> I don't know if I need to configure my WSAD but I thought this is a
> normal J2EE standard, which is not true in WSAD.
>
> David
>
> ----- Original Message -----
> From: "Pingili, Madhupal" <[EMAIL PROTECTED]>
> Date: Thursday, June 19, 2003 1:55 pm
> Subject: RE: block direct access to JSP files
>
> > Hi,
> > I found a thread related to this: subject: Protecting JSPs using
> > security-constraint
> > Basically, the solution suggested was:
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>SecureAllJSPs</web-resource-
> name>
> > <url-pattern>*.jsp</url-pattern>
> > </web-resource-collection>
> > <auth-constraint>
> > <role-name>nobody</role-name>
> >
> > </security-constraint>
> >
> > <security-role>
> > <role-name>nobody</role-name>
> > </security-role>
> >
> > or <security-role>
> > <role-name>*</role-name>
> > </security-role>
> >
> > Thanks to David Graham and Mick Knutson
> >
> > Regards,
> > Reddy
> >
> >
> > > -----Original Message-----
> > > From: Emmanuel Feller [SMTP:[EMAIL PROTECTED]
> > > Sent: Thursday, June 19, 2003 1:43 PM
> > > To: Struts Users Mailing List; [EMAIL PROTECTED]
> > > Subject: Re: block direct access to JSP files
> > >
> > > Hi,
> > >
> > > You may put all your jsp under the WEB-INF directory, so
> > > they are not available for user. But the application still
> > > work, because all navigation is done by the struts
> > > controler. It is simple and work fine with all app server.
> > >
> > > You must change your struts-config.xml to reflect the
> > > changes of target for all your forward. It should be done by
> > > find/replace ...
> > >
> > > Regards,
> > > Emmanuel
> > > ----- Message d'origine -----
> > > De : "Takfung Chan" <[EMAIL PROTECTED]>
> > > ä : "Struts Users Mailing List"
> > > <[EMAIL PROTECTED]>
> > > Envoyé : jeudi 19 juin 2003 18:10
> > > Objet : block direct access to JSP files
> > >
> > >
> > > > Hi,
> > > > I have a Struts based application and would like to block
> > > all direct
> > > > access to JSP files by user, so if a user typing a URL
> > > point to a JSP
> > > > file directly, it will fail. I did a change to web.xml but
> > > not working
> > > > on Websphere 4.0.3 (I should post to websphere news group
> > > but I hope
> > > > some one here already did the same thing)
> > > > here is my web.xml config relate to this web resource
> > > protection, It
> > > > works fine on tomcat, but never in Websphere, any idea?
> > > >
> > > > <security-constraint>
> > > > <web-resource-collection>
> > > > <web-resource-name>blockJSPDirectAccess</web-resource-
> > > > name>
> > > > <description>to block JSP direct access</description>
> > > > <url-pattern>*.jsp</url-pattern>
> > > > </web-resource-collection>
> > > > <auth-constraint>
> > > > <description></description>
> > > > <role-name></role-name>
> > > >
> > > > </security-constraint>
--
Kris Schneider <mailto:[EMAIL PROTECTED]>
D.O.Tech <http://www.dotech.com/>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
