Re: how to prevent users from directly accessing jsp files

Thu, 18 Jun 2009 08:16:24 -0700 

On Thu, Jun 18, 2009 at 07:47:45PM +0530, Girish Naik wrote:
> Go to Tomcat Home/conf/web.xml file. in this file put listings as false.
> <init-param>
>             <param-name>listings</param-name>
>             <param-value>false</param-value>
>         </init-param>
> 
> Regards,
> ---------------------------------------------------------
> Girish Naik

doesn't that still allow access by direct URL to the JSP? I think
it disables directory listings only.

Anyway, perhaps the easiest solution is to put such JSPs in a subdirectory
of WEB-INF. The web container must not expose that hierarchy via HTTP
(see servlet spec, section 9.5). I like to keep my JSPs in /WEB-INF/views .

Best regards, Jan

> Mobile:-+91-09740091638
> girish.n...@gmail.com
> Rodney 
> Dangerfield<http://www.brainyquote.com/quotes/authors/r/rodney_dangerfield.html>
> - "What a dog I got, his favorite bone is in my arm."
> 
> On Thu, Jun 18, 2009 at 7:11 PM, Greg Lindholm <greg.lindh...@gmail.com>wrote:
> 
> > We put all our jsp file into a /struts/ folder then add the following
> > security contraint to web.xml
> >
> >
> >    <security-constraint>
> >        <display-name>Prevent access to raw pages.</display-name>
> >        <web-resource-collection>
> >            <web-resource-name>Raw Pages</web-resource-name>
> >            <url-pattern>/struts/*</url-pattern>
> >        </web-resource-collection>
> >        <auth-constraint>
> >            <description>No roles, so no direct access</description>
> >        </auth-constraint>
> >    </security-constraint>
> >
> >
> > On Thu, Jun 18, 2009 at 9:32 AM, abhishek reddy <abhishek.c1...@gmail.com
> > >wrote:
> >
> > > how to prevent users from directly accessing jsp files, rather they have
> > to
> > > come thru sturts action?
> > >
> > > --
> > > Abhishek
> > >
> >

-- 
 +- Jan T. Kim -------------------------------------------------------+
 |             email: j....@uea.ac.uk                                 |
 |             WWW:   http://www.cmp.uea.ac.uk/people/jtk             |
 *-----=<  hierarchical systems are for files, not for humans  >=-----*

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Reply via email to