We have developed an application using JBoss and Tomcat 3.2.1 and we need
to restrict access to .jsp files which are used as includes. We use files
like header.jsp and footer.jsp which are included from servlets, but we
don't want users to be able to access /header.jsp without going through
the servlet. All the JSP files are executed from servlets and none should
be accessed directly. I've tried removing the mapping for the .jsp
extension in web.xml but nothing changed. Is there an easy way to deny
access to all .jsp URLs, but which will still allow includes from inside
servlets to work?
I.e, something like this:
<FilesMatch "\.jsp$">
deny from all
</FilesMatch>
Thanks,
Nicolas Moldavsky
[EMAIL PROTECTED]
