The default pattern is to put all JSPs under WEB-INF and so you force the call to an action to access them.
Cimballi On Wed, Feb 17, 2010 at 7:46 PM, Wong Chin Shin <lilw...@gmail.com> wrote: > Hi, > > I've had a pen test finding where our JSP files, which are in the public > directories of our web app can be opened directly as long as the user knows > the name of the JSP file. This is a site where a login is mandatory to > access any content. Struts actions are already protected where the action > itself will detect for sessions and enforce security but direct access to > JSP doesn't seem to be protected in the same way and apparently, this is a > security risk. The auditor's opinion is that no content whatsoever should be > viewable by anyone without a valid session. > > May I know what can be done to accomplish this? Both our Struts 1 and 2 > applications are affected by this finding. > > Thanks, > Wong > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
