Hi,
All my JSPs are behind actions. But, I have <html:base/> in all my JSPs.
If any user looks at html source (view source in IE), it shows the complete
URL for that JSP
like <base href="http://myapp/myWeb/SearchPage.jsp";> .
So, there JSP name is exposed.
How can I avoid this?
I have another question. I also have following security-constraint in my
web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>SecureAllJSPs</web-resource-name>
<url-pattern>*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>nobody</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>nobody</role-name>
</security-role>
When I try to access my JSP directly like http://myapp/myWeb/SearchPage.jsp
, I am getting Internal Server error.
But that's because there is a failure of <bean:define> in that JSP.
What am I supposed to get as a response, given above security-constraint in
web.xml?
Thanks in advance for any input/suggestion,
Reddy
> -----Original Message-----
> From: Ted Husted [SMTP:[EMAIL PROTECTED]
> Sent: Thursday, June 19, 2003 5:33 PM
> To: Struts Users Mailing List
> Subject: Re: block direct access to JSP files
>
> I sometimes setup a security constraint (like the others shown on this
> thread) to block access to JSPs -- thought, not to block access from
> users but to block access from page authors!
>
> If your application is following the Struts best practice of putting all
> JSPs behind actions, your users never learn where the JSPs are. The
> only URLs they see on their address line are .do's (or .html's if you
> are using statics).
>
> For the site welcome page, I usually use a HTML refresh instead. Seems a
> little slower than a JSP, but it perserves the "no JSP rule".
>
> <html><head><META HTTP-EQUIV="Refresh" CONTENT="0;URL=./Welcome.do">
> </head><body></body></html>
>
> -Ted.
>
>
> Takfung Chan wrote:
> > Hi,
> > I have a Struts based application and would like to block all direct
> > access to JSP files by user, so if a user typing a URL point to a JSP
> > file directly, it will fail. I did a change to web.xml but not working
> > on Websphere 4.0.3 (I should post to websphere news group but I hope
> > some one here already did the same thing)
> > here is my web.xml config relate to this web resource protection, It
> > works fine on tomcat, but never in Websphere, any idea?
> >
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>blockJSPDirectAccess</web-resource-
> > name>
> > <description>to block JSP direct access</description>
> > <url-pattern>*.jsp</url-pattern>
> > </web-resource-collection>
> > <auth-constraint>
> > <description></description>
> > <role-name></role-name>
> > </auth-constraint>
> > </security-constraint>
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
>
> --
> Ted Husted,
> Struts in Action <http://husted.com/struts/book.html>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
