Hello,
> I read a few hints and tricks on how to make a web
> application a little more
> secure.
> As I am using Struts right now I decided to put all JSPs
> under WEB-INF/jsp
^^^
> which (AFAIK) should work for JSP/Servlet spec 2.3.
> Now everytime I try to forward from the (Struts) servlet to a
> jsp somewhere
> under WEB-INF/jsp I get a 404 errorcode telling me that e.g.
> "The requested
> resource (/psa/WEB-INF/test.jsp) is not available."
^^^
Seems like you're missing your subdir "/jsp/" in your forwards
You can also put all your JSP pages e.g. in /webapp/s/ and define a
security-constraint on "/s/*" in your web.xml with *no* assigned roles, so nobody can
access your JSP-pages directly.
Snippet:
**********************
<!-- Security is active on entire directory '/s/' (contains all JSP-pages) -->
<security-constraint>
<web-resource-collection>
<web-resource-name>JSP</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/s/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- assign no roles, so nobody can access this directory -->
<role-name></role-name>
</auth-constraint>
</security-constraint>
<!-- Login configuration -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>No access</realm-name>
</login-config>
**********************
Greetings,
Yann
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
