I use Acegi security to make sure that all of my pages are secure. I
find it very flexiable, but not always easy to configure.
If you are already using spring as you IoC, then you might as well take
advantage of Acegi.
Jeromy Evans wrote:
I've been told that some older containers don't allow you to forward to
JSP's behind /WEB-INF. It wouldn't surprise me.
Other than that I've found Ian's suggestion to be the most effective way
to ensure users can't access JSPs directly, IMO a must for Tiles, html
fragments and any page using struts tags.
The only issue I've experienced is when (bad) scriptets within the JSP
manipulate the request object directly, which is assumed to use the
/xxx.jsp URI but is actually /WEB-INF/results/xxx.jsp.
Many would argue that best practice is to not use JSPs at all. Another
group would argue that Acegi should be used rather than rolling your own
filter.
Hope that helps.
mojoRising wrote:
Is this considered the Best Practice: Keeping all JSP's under the WEB-INF
directory? We have not done that on my project, I am curious if there are
plus' and minus' to this?
Thanks,
John
The easiest way is to always have the user call an action to get a
JSP, even if it is a simple page. You then also ensure that all data
necessary for that page has been obtained. The, by placing the JSP's
in the WEB-INF directory you will prevent access directly from a
browser (only from the s2 dispatcher).
Otherwise, I would suggest a servlet filter or header code for all
JSPs that make the necessary checks.
/Ian
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------
Spam/Virus scanning by CanIt Pro
For more information see
http://www.kgbinternet.com/SpamFilter.htm
To control your spam filter, log in at
http://filter.kgbinternet.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
