Re: [newbie] Container Managed Security - preventing direct access to .jsp

Tue, 14 Dec 2004 13:59:53 -0800

Have you tried writing a session bean??? if not just write a session bean and import it as a header in
all you *.jsp pages. The sessions will controll the flow of
the application.

ex:
<%@ include file="Secrity_stuff.jsp" %>

This is common in writing applications.

Robert Taylor wrote:

Thanks Hassan. I didn't realize that was added to the 2.4 spec.
Thanks for pointing that out. 

Even so, it would be nice to know how to use CMS to achieve this.

Maybe a better way to form the question would be how do I use
CMS to protect .jsp pages from direct access and return a user
friendly page/message when a .jsp page is requested without going through
the controller?


/robert



-----Original Message-----
From: Hassan Schroeder [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 14, 2004 2:21 PM
To: Tomcat Users List
Subject: Re: [newbie] Container Managed Security - preventing direct
access to .jsp


Robert Taylor wrote:



Please let me know if this questions is just too obvious
and I'll gladly RTFM...


See below :-)



It just seems like a common idiom to provide a portable mechanism
for protecting direct access to .jsp so as to enforce access through
some controller. I have in the past placed .jsp files "behind" WEB-INF,
but I don't believe that is portable and would like to use CMS to achieve
this.


Given that the Java" Servlet Specification Version 2.4, page 70 sez:

        A special directory exists within the application hierarchy
        named WEB-INF. This directory contains all things related to
        the application that aren't in the document root of the
        application. The WEB-INF node is not part of the public
        document tree of the application. No file contained in the
        WEB-INF directory may be served directly to a client by the
        container.

I don't know how much more "portable" you want it to be :-)

HTH!
--
Hassan Schroeder ----------------------------- [EMAIL PROTECTED]
Webtuitive Design ===  (+1) 408-938-0567   === http://webtuitive.com

                          dream.  code.



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





--

Dwayne A. Ghant
Application Developer
Temple University
215.204.5555
[EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to