An alternative is to use a security constraint on the directory that has all of the content. This can be done in apache too via the <Location> directive.
Another way is to place all those JSP's with a different extension and then add the mapping to web.xml. Then add the security contraint for that file extension. (Or let apache disallow that file extension)
Forwarding to the default servelt WILL provide a 404 because it is a 404. The default servlet gets any request not assigned to any other servlet. So if the default servlet find the resource, it returns a 404.
-Tim
Albert Moliner wrote:
Hello.
I've searched the archives on this subject, but the nearest I've reached has been some posts about not serving static content. It's a bit of a surprise that no one has asked this before, so sorry if it is a recurrent question.
I want Tomcat (4) to execute JSPs as usual, but prevent it from running the files that are under a certain directory for security reasons. These files can be published by external people and are supposed to be static, but if some mischievous publisher posts a JSP and it is executed then there can be havoc.
Apart from preventing the publishing of files with that extension, is there a possible configuration that can be set up?
I've tried mapping requests to that dir to the default servlet in web.xml, but 404 errors are returned (why??), and some other wierd things like using an intermediate servlet that forwards to the default servlet through its named request dispatcher (the forward method does not seem to do anything when using the dault servlet, while any other seems to work) or setting up a separate context for that dir and forward requests to the context, which maps *.jsp to the default context (I'll skip the details), but I can't find the solution...
What astonishes me more is that forwarding or mapping to the default servlet does not work, but anyway I must be doing something wrong...
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
