Hmm. I got a 404 error after moving one jsp file to WEB-INF and trying to directly access it. That's not great but at least it prevents access. Worse though is that when I then try to go to page after having logged in I get a "root cause: file not found error". So it looks to me like you can't move your .jsp files out of the root web-app directory. Can anyone shed any more light on this?
-----Original Message----- From: Januski, Ken [mailto:[EMAIL PROTECTED]] Sent: Friday, February 21, 2003 11:36 AM To: Tomcat Users List Subject: RE: Mapping .jsp to controller servlet Erik, That's exactly what I want: no direct access but only through servlet. I'll try moving one to WEB-INF and see if that solves the problem. Ken -----Original Message----- From: Erik Price [mailto:[EMAIL PROTECTED]] Sent: Friday, February 21, 2003 11:32 AM To: Tomcat Users List Subject: Re: Mapping .jsp to controller servlet I may not be entirely clear on what you're saying, but if you're saying that no one should directly be able to request your JSPs and instead they should only access the contents of your site by requesting Servlet resources (which then forward to JSPs), perhaps it would be worth moving the JSPs into WEB-INF where they cannot be touched? AFAIK, you can still have the servlets dispatcher.forward() to the JSPs if you do this. Erik Januski, Ken wrote: > Yesterday I noticed that an application that has been running successfully > for about a year has a problem I've never noticed before. It's set up so > that all access to web-app is through a login method that calls a login.jsp > page from a controller servlet. So all requests to jsp pages get redirected > to the login page. But yesterday I noticed that if I included .jsp in the > address the controller servlet and the login.jsp are completely bypassed and > access is given to the jsp page. > > I've also recently changed the login method to use JCIFS and authenticate > against NT domain controller rather than a mySQL database and I suppose it's > possible that the problem is actually there. In investigating this though > I've read that .jsp pages are public, which indicates to me that they CAN be > accessed directly. Can anyone tell me if this is true. In other words is > mapping .jsp to a servlet fruitless? If not then I guess I can conclude that > it's the login method that is failing not the mapping. I've included this in > my web.xml to force redirection of all .jsp page to the servlet but it seems > to have no effect. > > The relevant portion of web.xml, mapped to servlet named 'sysadmin' further > up in web.xml. > > <servlet-mapping> > <servlet-name> > sysadmin > </servlet-name> > <url-pattern> > .*jsp > </url-pattern> > </servlet-mapping> > > Thanks for any info, > > Ken > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
