Protecting JSPs in Tomcat 5

Andrew Shirk Mon, 26 Jul 2004 13:21:37 -0700

In Tomcat 4, I would map request URLs to JSPs and handle the forwarding on the server side. Direct user access to JSPs was prevented using the following security constraint configuration:

<security-constraint>
  <display-name>JSP Protection</display-name>
  <web-resource-collection>
    <web-resource-name>JSPs</web-resource-name>
    <url-pattern>*.jsp</url-pattern>
    <http-method>DELETE</http-method>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    <http-method>PUT</http-method>
  </web-resource-collection>
  <auth-constraint>
    <role-name>Administrator</role-name>
  </auth-constraint>
  <user-data-constraint>
    <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
</security-constraint>

This seems to not work with Tomcat 5 as the constraint is applied even though no direct request is made by the user. Is this change in behavior the result of a spec change? I could find no such clarification.

Thanks for the help.

Andrew


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Protecting JSPs in Tomcat 5

Reply via email to