RE: how to prevent users from directly accessing jsp files

Mon, 22 Jun 2009 21:08:21 -0700 

I tried something like below it worked

<security-constraint>
    <web-resource-collection>
      <web-resource-name>All JSP direct access</web-resource-name>
      <url-pattern>/jsp/*</url-pattern>
      <http-method>POST</http-method>
      <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
      <description>
       No Access
      </description>
      <role-name>restricted</role-name>
     </auth-constraint>
  </security-constraint>
  
  <security-role>
    <description>NO Access</description>
    <role-name>restricted</role-name>
  </security-role>

Thank you.
Regards,
Kishan.G
 
Team Leader.
www.spansystems.com




-----Original Message-----
From: Girish Naik [mailto:girish.n...@gmail.com] 
Sent: Friday, June 19, 2009 8:19 PM
To: Struts Users Mailing List
Subject: Re: how to prevent users from directly accessing jsp files

But in that case the css, images, js is compromised rite?
What if I want all to be secured?


Regards,
---------------------------------------------------------
Girish Naik
Mobile:-+91-09740091638
girish.n...@gmail.com
Fran Lebowitz<http://www.brainyquote.com/quotes/authors/f/fran_lebowitz.html>
- "Life is something to do when you can't get to sleep."

On Fri, Jun 19, 2009 at 7:15 PM, Greg Lindholm <greg.lindh...@gmail.com>wrote:

> >  I tried  putting the below string in web.xml, but all my css, js from
> the
> > application got blocked. But pages are coming. Is something missing or
> some
> > extra thing to be done?
> >
> > <security-constraint>
> >        <display-name>Prevent access to raw pages.</display-name>
> >        <web-resource-collection>
> >            <web-resource-name>Raw Pages</web-resource-name>
> >            <url-pattern>/struts/*</url-pattern>
> >        </web-resource-collection>
> >        <auth-constraint>
> >            <description>No roles, so no direct access</description>
> >        </auth-constraint>
> >    </security-constraint>
> >
> >
> >
> > Regards,
> > ---------------------------------------------------------
> > Girish Naik
> >
>
> The way this security constraint works is it prevents direct access to the
> area defined
> by the <url-pattern>/struts/*</url-pattern> elements (you can have
> multiple). In this case
> we put our jsp files under /struts/ folder.
>
> You can name the folder whatever you like but only put jsp files in it.
>  You
> need to put
> your css and js file someplace else.
>
> Our typical layout for webroot is:
> /
>  css/
>  images/
>  js/
>  struts/
>  WEB-INF/
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Reply via email to