I am not sure if its already mentioned. JSP files stashed under WEB-INF/ are not accessable directly.
--- Parsons Technical Services <[EMAIL PROTECTED]> wrote: > Jay, > > I think you need the auth-constraint tags. > > <!--Starts the section. Located after jsp-config > near end of file--> > <security-constraint> > <!--A description for identification by you. In > real world might be > Salesmen Area. Or Admin Only--> > <display-name>Example Security > Constraint</display-name> > <web-resource-collection> > <web-resource-name>Protected > Area</web-resource-name> > <!-- Define the context-relative URL(s) to > be protected (* may > only be used at end of string)--> > <!--Follows file structure in the app. If > you need different areas > for different people, place in peer folders.--> > > <url-pattern>/security/protected/*</url-pattern> > <!-- If you list http methods, only those > methods are protected --> > <http-method>DELETE</http-method> > <http-method>GET</http-method> > <http-method>POST</http-method> > <http-method>PUT</http-method> > </web-resource-collection> > <auth-constraint> > <!-- Anyone with one of the listed roles > may access this area --> > <role-name>role1</role-name> > </auth-constraint> > </security-constraint> > > Then don't give anyone that role. > > > Doug > > ----- Original Message ----- > From: "Jay Wright" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Saturday, December 18, 2004 7:55 PM > Subject: security-constraint to limit jsp access > > > > > > I have a struts 1.2.4 webapp in which I'm trying > to hide my jsp's from > > being > > accessed directly. Instead of throwing them in > the WEB-INF folder, I'd > > rather just restrict access to them through the > security-constraint in the > > web.xml. > > > > I recently read that adding: > > > > <security-constraint> > > <web-resource-collection> > > > <web-resource-name>JSPs</web-resource-name> > > <url-pattern>/struts/*</url-pattern> > > <http-method>GET</http-method> > > <http-method>POST</http-method> > > </web-resource-collection> > > </security-constraint> > > > > to the web.xml file will restrict access to files > in the directory from > > direct URL access, but not from redirection or jsp > forwarding, so they can > > still be accessed through struts action mappings. > > > > But this doesn't work. It seems to be ignorning > the constraint > > altogether, > > as if I am missing an additional configuration. > Is there something I need > > to add? > > > > I know my mapping is correct because if I throw: > > > > <user-data-constraint> > > > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > > </user-data-constraint> > > > > into the constraint, it does try to connect to the > pages through a secure > > channel. > > > > I've scanned the web, now I'm on the mailing list: > will this work and/or > > what is the best way to prevent direct access to > the JSPs? > > > > Thanks, > > Jay > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: > [EMAIL PROTECTED] > > For additional commands, e-mail: > [EMAIL PROTECTED] > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > > __________________________________ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]