It sounds like Albert wants certain (static) files to be viewable.
He just doesn't want anyone to be able to execute JSPs from this directory.
One thing you could try is a servlet mapping that sends all requests ending in
that directory that end with .jsp to a servlet that sends back a message
("FORBIDDEN FILE").
<servlet-mapping>
<servlet-name>ForbiddenFileServlet</servlet-name>
<url-pattern>/DIRECTORY_NAME/*.jsp</url-pattern>
</servlet-mapping>
-Ben
On Friday 12 December 2003 09:10 am, Tim Funk wrote:
> Ideally, files you don't want to be seen should be placed in WEB-INF.
>
> An alternative is to use a security constraint on the directory that has
> all of the content. This can be done in apache too via the <Location>
> directive.
>
> Another way is to place all those JSP's with a different extension and then
> add the mapping to web.xml. Then add the security contraint for that file
> extension. (Or let apache disallow that file extension)
>
> Forwarding to the default servelt WILL provide a 404 because it is a 404.
> The default servlet gets any request not assigned to any other servlet. So
> if the default servlet find the resource, it returns a 404.
>
> -Tim
>
> Albert Moliner wrote:
> > Hello.
> >
> > I've searched the archives on this subject, but the nearest I've reached
> > has been some posts about not serving static content. It's a bit of a
> > surprise that no one has asked this before, so sorry if it is a recurrent
> > question.
> >
> > I want Tomcat (4) to execute JSPs as usual, but prevent it from running
> > the files that are under a certain directory for security reasons. These
> > files can be published by external people and are supposed to be static,
> > but if some mischievous publisher posts a JSP and it is executed then
> > there can be havoc.
> >
> > Apart from preventing the publishing of files with that extension, is
> > there a possible configuration that can be set up?
> >
> > I've tried mapping requests to that dir to the default servlet in
> > web.xml, but 404 errors are returned (why??), and some other wierd things
> > like using an intermediate servlet that forwards to the default servlet
> > through its named request dispatcher (the forward method does not seem to
> > do anything when using the dault servlet, while any other seems to work)
> > or setting up a separate context for that dir and forward requests to the
> > context, which maps *.jsp to the default context (I'll skip the details),
> > but I can't find the solution...
> >
> > What astonishes me more is that forwarding or mapping to the default
> > servlet does not work, but anyway I must be doing something wrong...
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
--
Ben Souther
F.W. Davison & Company, Inc.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
