Erik, That's exactly what I want: no direct access but only through servlet. I'll try moving one to WEB-INF and see if that solves the problem.
Ken -----Original Message----- From: Erik Price [mailto:[EMAIL PROTECTED]] Sent: Friday, February 21, 2003 11:32 AM To: Tomcat Users List Subject: Re: Mapping .jsp to controller servlet I may not be entirely clear on what you're saying, but if you're saying that no one should directly be able to request your JSPs and instead they should only access the contents of your site by requesting Servlet resources (which then forward to JSPs), perhaps it would be worth moving the JSPs into WEB-INF where they cannot be touched? AFAIK, you can still have the servlets dispatcher.forward() to the JSPs if you do this. Erik Januski, Ken wrote: > Yesterday I noticed that an application that has been running successfully > for about a year has a problem I've never noticed before. It's set up so > that all access to web-app is through a login method that calls a login.jsp > page from a controller servlet. So all requests to jsp pages get redirected > to the login page. But yesterday I noticed that if I included .jsp in the > address the controller servlet and the login.jsp are completely bypassed and > access is given to the jsp page. > > I've also recently changed the login method to use JCIFS and authenticate > against NT domain controller rather than a mySQL database and I suppose it's > possible that the problem is actually there. In investigating this though > I've read that .jsp pages are public, which indicates to me that they CAN be > accessed directly. Can anyone tell me if this is true. In other words is > mapping .jsp to a servlet fruitless? If not then I guess I can conclude that > it's the login method that is failing not the mapping. I've included this in > my web.xml to force redirection of all .jsp page to the servlet but it seems > to have no effect. > > The relevant portion of web.xml, mapped to servlet named 'sysadmin' further > up in web.xml. > > <servlet-mapping> > <servlet-name> > sysadmin > </servlet-name> > <url-pattern> > .*jsp > </url-pattern> > </servlet-mapping> > > Thanks for any info, > > Ken > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
