I am not sure if its already mentioned. JSP
files stashed under WEB-INF/ are not accessable
directly.
--- Parsons Technical Services
<[EMAIL PROTECTED]> wrote:
> Jay,
>
> I think you need the auth-constraint tags.
>
> <!--Starts the section. Located after jsp-config
> near end of file-->
> <security-constraint>
> <!--A description for identification by you. In
> real world might be
> Salesmen Area. Or Admin Only-->
> <display-name>Example Security
> Constraint</display-name>
> <web-resource-collection>
> <web-resource-name>Protected
> Area</web-resource-name>
> <!-- Define the context-relative URL(s) to
> be protected (* may
> only be used at end of string)-->
> <!--Follows file structure in the app. If
> you need different areas
> for different people, place in peer folders.-->
>
> <url-pattern>/security/protected/*</url-pattern>
> <!-- If you list http methods, only those
> methods are protected -->
> <http-method>DELETE</http-method>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> <http-method>PUT</http-method>
> </web-resource-collection>
> <auth-constraint>
> <!-- Anyone with one of the listed roles
> may access this area -->
> <role-name>role1</role-name>
> </auth-constraint>
> </security-constraint>
>
> Then don't give anyone that role.
>
>
> Doug
>
> ----- Original Message -----
> From: "Jay Wright" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Saturday, December 18, 2004 7:55 PM
> Subject: security-constraint to limit jsp access
>
>
> >
> > I have a struts 1.2.4 webapp in which I'm trying
> to hide my jsp's from
> > being
> > accessed directly. Instead of throwing them in
> the WEB-INF folder, I'd
> > rather just restrict access to them through the
> security-constraint in the
> > web.xml.
> >
> > I recently read that adding:
> >
> > <security-constraint>
> > <web-resource-collection>
> >
> <web-resource-name>JSPs</web-resource-name>
> > <url-pattern>/struts/*</url-pattern>
> > <http-method>GET</http-method>
> > <http-method>POST</http-method>
> > </web-resource-collection>
> > </security-constraint>
> >
> > to the web.xml file will restrict access to files
> in the directory from
> > direct URL access, but not from redirection or jsp
> forwarding, so they can
> > still be accessed through struts action mappings.
> >
> > But this doesn't work. It seems to be ignorning
> the constraint
> > altogether,
> > as if I am missing an additional configuration.
> Is there something I need
> > to add?
> >
> > I know my mapping is correct because if I throw:
> >
> > <user-data-constraint>
> >
>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > </user-data-constraint>
> >
> > into the constraint, it does try to connect to the
> pages through a secure
> > channel.
> >
> > I've scanned the web, now I'm on the mailing list:
> will this work and/or
> > what is the best way to prevent direct access to
> the JSPs?
> >
> > Thanks,
> > Jay
> >
> >
> >
> >
>
---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> > For additional commands, e-mail:
> [EMAIL PROTECTED]
> >
> >
> >
>
>
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> For additional commands, e-mail:
> [EMAIL PROTECTED]
>
>
__________________________________
Do you Yahoo!?
Dress up your holiday email, Hollywood style. Learn more.
http://celebrity.mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
