Jay, There was just a fairly exhausive thread on this topic. Here is the outcome: http://nagoya.apache.org/eyebrowse/[EMAIL PROTECTED]&msgNo=163858
/robert > -----Original Message----- > From: Jay Wright [mailto:[EMAIL PROTECTED] > Sent: Saturday, December 18, 2004 7:55 PM > To: [EMAIL PROTECTED] > Subject: security-constraint to limit jsp access > > > > I have a struts 1.2.4 webapp in which I'm trying to hide my jsp's from being > accessed directly. Instead of throwing them in the WEB-INF folder, I'd > rather just restrict access to them through the security-constraint in the > web.xml. > > I recently read that adding: > > <security-constraint> > <web-resource-collection> > <web-resource-name>JSPs</web-resource-name> > <url-pattern>/struts/*</url-pattern> > <http-method>GET</http-method> > <http-method>POST</http-method> > </web-resource-collection> > </security-constraint> > > to the web.xml file will restrict access to files in the directory from > direct URL access, but not from redirection or jsp forwarding, so they can > still be accessed through struts action mappings. > > But this doesn't work. It seems to be ignorning the constraint altogether, > as if I am missing an additional configuration. Is there something I need > to add? > > I know my mapping is correct because if I throw: > > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > > into the constraint, it does try to connect to the pages through a secure > channel. > > I've scanned the web, now I'm on the mailing list: will this work and/or > what is the best way to prevent direct access to the JSPs? > > Thanks, > Jay > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
