Vishnu, If you would like to secure particular file extension try giving it as below.
<url-pattern>*.jsp</url-pattern> Hope it solves your issue. Regards, Sathish Kumar T -----Original Message----- From: Vishnu Vyasan Nelliparmbil [mailto:vis...@mun.gov.bh] Sent: Thursday, June 25, 2009 12:55 PM To: Struts Users Mailing List Subject: RE: how to prevent users from directly accessing jsp files Even I am facing the same problem. <security-constraint> <web-resource-collection> <web-resource-name>All JSP direct access</web-resource-name> <url-pattern>/pages/*</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <description> No Access </description> <role-name>restricted</role-name> </auth-constraint> </security-constraint> <security-role> <description>NO Access</description> <role-name>restricted</role-name> </security-role> Up on restricting as given above, the container is not allowing the struts to access the JSP page. Its asking for a user name and password. Where I am wrong here? My requirement is that, user should be able to access the jsp pages only through the actions. Regards Vishnu -----Original Message----- From: Kishan G. Chellap Paandy [mailto:kishanchellapaand...@spanservices.com] Sent: 23 June 2009 07:06 To: Struts Users Mailing List Subject: RE: how to prevent users from directly accessing jsp files I tried something like below it worked <security-constraint> <web-resource-collection> <web-resource-name>All JSP direct access</web-resource-name> <url-pattern>/jsp/*</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <description> No Access </description> <role-name>restricted</role-name> </auth-constraint> </security-constraint> <security-role> <description>NO Access</description> <role-name>restricted</role-name> </security-role> Thank you. Regards, Kishan.G Team Leader. www.spansystems.com -----Original Message----- From: Girish Naik [mailto:girish.n...@gmail.com] Sent: Friday, June 19, 2009 8:19 PM To: Struts Users Mailing List Subject: Re: how to prevent users from directly accessing jsp files But in that case the css, images, js is compromised rite? What if I want all to be secured? Regards, --------------------------------------------------------- Girish Naik Mobile:-+91-09740091638 girish.n...@gmail.com Fran Lebowitz<http://www.brainyquote.com/quotes/authors/f/fran_lebowitz.html> - "Life is something to do when you can't get to sleep." On Fri, Jun 19, 2009 at 7:15 PM, Greg Lindholm <greg.lindh...@gmail.com>wrote: > > I tried putting the below string in web.xml, but all my css, js from > the > > application got blocked. But pages are coming. Is something missing or > some > > extra thing to be done? > > > > <security-constraint> > > <display-name>Prevent access to raw pages.</display-name> > > <web-resource-collection> > > <web-resource-name>Raw Pages</web-resource-name> > > <url-pattern>/struts/*</url-pattern> > > </web-resource-collection> > > <auth-constraint> > > <description>No roles, so no direct access</description> > > </auth-constraint> > > </security-constraint> > > > > > > > > Regards, > > --------------------------------------------------------- > > Girish Naik > > > > The way this security constraint works is it prevents direct access to the > area defined > by the <url-pattern>/struts/*</url-pattern> elements (you can have > multiple). In this case > we put our jsp files under /struts/ folder. > > You can name the folder whatever you like but only put jsp files in it. > You > need to put > your css and js file someplace else. > > Our typical layout for webroot is: > / > css/ > images/ > js/ > struts/ > WEB-INF/ > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
