If your application is following the Struts best practice of putting all JSPs behind actions, your users never learn where the JSPs are. The only URLs they see on their address line are .do's (or .html's if you are using statics).
For the site welcome page, I usually use a HTML refresh instead. Seems a little slower than a JSP, but it perserves the "no JSP rule".
<html><head><META HTTP-EQUIV="Refresh" CONTENT="0;URL=./Welcome.do"> </head><body></body></html>
-Ted.
Takfung Chan wrote:
Hi,
I have a Struts based application and would like to block all direct access to JSP files by user, so if a user typing a URL point to a JSP file directly, it will fail. I did a change to web.xml but not working on Websphere 4.0.3 (I should post to websphere news group but I hope some one here already did the same thing)
here is my web.xml config relate to this web resource protection, It works fine on tomcat, but never in Websphere, any idea?
<security-constraint> <web-resource-collection> <web-resource-name>blockJSPDirectAccess</web-resource- name> <description>to block JSP direct access</description> <url-pattern>*.jsp</url-pattern> </web-resource-collection> <auth-constraint> <description></description> <role-name></role-name> </auth-constraint> </security-constraint>
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- Ted Husted, Struts in Action <http://husted.com/struts/book.html>
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
