Put the JSP under /WEB-INF -- it is accessible to Struts routing but not directly viewable by end clients. jk
On Fri, May 15, 2009 at 2:36 PM, Timothy Orme <to...@genome.med.harvard.edu>wrote: > Hello All, > > I'm in the process of migrating pages from JSP's using snippets to > struts actions. I'm wondering how people have disabled access to JSP's so > that they cannot be accessed outside of the action anymore. > Right now if I have an action like: > > <action name="ViewIndex" class="action.BaseAction"> > <result name="success">/private/index.jsp</result> > </action> > > There is nothing preventing the user from just browsing directly to > /private/index.jsp instead of accessing it through the Action URL. This > could have some bad implications about security, but also might just look > bad if a page that should be receiving data from an action no longer has the > source. > > How have people worked around this in the past? > > -Tim Orme > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > > -- Jim Kiley Senior Technical Consultant | Summa [p] 412.258.3346 http://www.summa-tech.com
