Put them under WEB-INF.
CS Wong wrote: > > Hi, > > I've had a pen test finding where our JSP files, which are in the public > directories of our web app can be opened directly as long as the user > knows > the name of the JSP file. This is a site where a login is mandatory to > access any content. Struts actions are already protected where the action > itself will detect for sessions and enforce security but direct access to > JSP doesn't seem to be protected in the same way and apparently, this is a > security risk. The auditor's opinion is that no content whatsoever should > be > viewable by anyone without a valid session. > > May I know what can be done to accomplish this? Both our Struts 1 and 2 > applications are affected by this finding. > > Thanks, > Wong > > -- View this message in context: http://old.nabble.com/How-to-prevent-JSP-files-from-being-publicly-directly-accessible--tp27632906p27637097.html Sent from the Struts - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
