Hi,
(Tomcat 3.2.1, windows 2000, JdK1.3.1)
I want to use a Request Controller architecture for a webapp (i.e. one JSP
that receives all requests and then dispatches the requests to other JSPs
for servicing of the request). Of course I want to ensure that these
"servicing" JSPs are not accessible without passing through the controller
jsp. Is a secure solution to this problem to use a servlet mapping of the
following form in web.xml:
<web-app>
<servlet>
<servlet-name>controller</servlet-name>
<jsp-file>controller.jsp</jsp-file>
</servlet>
<servlet-mapping>
<servlet-name>controller</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
</web-app>
And to include in Controller.jsp a session bean for each user to check
whether they have logged on to the site before forwarding their request to
the "servicing" JSP.
I have tried this out "empirically" myself and it seems to work but I would
quite like a "theoretical" confirmation that this is secure and that this
solution makes it impossible for a malicious user to get access to the
"servicing" JSPs (without passing through Controller.jsp which will force a
logon).
Thanks.
Tim.
This message contains information that may be privileged or confidential and is the
property of the Cap Gemini Ernst & Young Group. It is intended only for the person to
whom it is addressed. If you are not the intended recipient, you are not authorized to
read, print, retain, copy, disseminate, distribute, or use this message or any part
thereof. If you receive this message in error, please notify the sender immediately
and delete all copies of this message.
