Jay,
I think you need the auth-constraint tags.
<!--Starts the section. Located after jsp-config near end of file-->
<security-constraint>
<!--A description for identification by you. In real world might be
Salesmen Area. Or Admin Only-->
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected (* may
only be used at end of string)-->
<!--Follows file structure in the app. If you need different areas
for different people, place in peer folders.-->
<url-pattern>/security/protected/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>Then don't give anyone that role.
Doug
----- Original Message ----- From: "Jay Wright" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, December 18, 2004 7:55 PM
Subject: security-constraint to limit jsp access
I have a struts 1.2.4 webapp in which I'm trying to hide my jsp's from being
accessed directly. Instead of throwing them in the WEB-INF folder, I'd
rather just restrict access to them through the security-constraint in the
web.xml.
I recently read that adding:
<security-constraint> <web-resource-collection> <web-resource-name>JSPs</web-resource-name> <url-pattern>/struts/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> </security-constraint>
to the web.xml file will restrict access to files in the directory from direct URL access, but not from redirection or jsp forwarding, so they can still be accessed through struts action mappings.
But this doesn't work. It seems to be ignorning the constraint altogether,
as if I am missing an additional configuration. Is there something I need
to add?
I know my mapping is correct because if I throw:
<user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint>
into the constraint, it does try to connect to the pages through a secure channel.
I've scanned the web, now I'm on the mailing list: will this work and/or what is the best way to prevent direct access to the JSPs?
Thanks, Jay
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
