Filtering sounds good as well. Security seems to be a separate concern to struts because it must be mostly performed from the outside: web.xml, filtering, maybe Spring Security or other tools, etc...
Anyway I have missed some guidance in the documentation: feature request? Also, I guess that security features are out of scope, is that right? Perhaps some support for standard use cases, like user login, would help. El Lunes, 1 de julio de 2013 09:44:35 Antonios Gkogkakis escribió: > What we've done is to create a filter (implement javax.servlet.Filter and > define it in web.xml ) > and if the resource uri ends with .jsp we return an http 403 error. > > Antonios > > On 1 July 2013 09:38, Lukasz Lenart <lukaszlen...@apache.org> wrote: > > 2013/7/1 Antonio Sánchez <juntandolin...@gmail.com>: > > > I need to protect JSPs. Some options: > > > > > > 1. Put JSPs under WEB-INF and, optionally, use the conventions plugin. > > > > > > 2. Declare authorization constraints in web.xml. > > > > These two options are the best to avoid direct access to JSPs - not > > all containers block access to resources in WEB-INF and fake auth > > constraints will sole that problem and it's an ultimate solution. > > > > > > Regards > > -- > > Łukasz > > + 48 606 323 122 http://www.lenart.org.pl/ > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > > For additional commands, e-mail: user-h...@struts.apache.org