There is one other way and that is to foward *.jsp in web.xml to a filter which always fails.
Edgar -----Original Message----- From: lixin chu [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 8:24 PM To: Struts Users Mailing List Subject: Re: JSP Protection thanks ! --- Max Cooper <[EMAIL PROTECTED]> wrote: > The images are requested directly by the browser, so > they must be accessible > from the outside. Here's a little browser-server > dialog to illustrate how it > works: > > Browser: please give me /DoSomething.do > Server: Here you go... (server invokes Struts action > servlet, action servlet > invokes the requested action, action says it wants > to forward to a JSP, > action servlet does the forward...) > <html><img src="/images/bitchin_camaro.jpg"></html> > > Browser: please give me /images/bitchin_camaro.jpg > Server: Here you go... > 24927image247data7902578259image293data85984396574389... > > The request for the action returns HTML. The browser > reads the HTML and sees > that it references an image. The browser then makes > a separate request for > the image file so that it can render the page. The > image file must be > "request-able" by the browser or it won't show up > when someone wants to view > the page. > > -Max > > ----- Original Message ----- > From: "lixin chu" <[EMAIL PROTECTED]> > To: "Struts Users Mailing List" > <[EMAIL PROTECTED]> > Sent: Thursday, January 15, 2004 5:07 PM > Subject: RE: JSP Protection > > > > I can successfully move all the files into > > /WEB-INF/subfolder (WEB-INF is protected by > default) > > except the images/ folder. It seems that I have to > > leave it outside - in the webapp root. > > I am using Tomcat 5.0.16. Is it a defect or it is > like > > this ? > > > > --- "Karr, David" <[EMAIL PROTECTED]> wrote: > > > Put all JSP pages that can't be accessed > directly > > > into a security constraint, only accessible by > the > > > role "nobody", which you will never add a user > to. > > > All accesses of JSPs will be through forwards > from > > > actions, which will not be blocked by that > security > > > constraint (unless you either have a broken web > > > container or a Servlet 2.4 container where > you've > > > enabled auth on forward). > > > > > > -----Original Message----- > > > From: J黵gen Scheffler > > > [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, January 15, 2004 8:15 AM > > > To: [EMAIL PROTECTED] > > > Subject: JSP Protection > > > > > > > > > Hi, > > > > > > how do i block URL guessing? > > > if someone requests abc.com/secret_page.jsp > > > he gets it. In my Action i check if the user > object > > > has the right rights for this action and then i > > > forward him. But if guesses the jsp, he opens > it. > > > > > > Help me! > > > > > > J黵gen > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: > > > [EMAIL PROTECTED] > > > For additional commands, e-mail: > > > [EMAIL PROTECTED] > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: > > > [EMAIL PROTECTED] > > > For additional commands, e-mail: > > > [EMAIL PROTECTED] > > > > > > > > > __________________________________ > > Do you Yahoo!? > > Yahoo! Hotjobs: Enter the "Signing Bonus" > Sweepstakes > > http://hotjobs.sweepstakes.yahoo.com/signingbonus > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: > [EMAIL PROTECTED] > > For additional commands, e-mail: > [EMAIL PROTECTED] > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
