Using a security constraint is the better way to go.
Here is a slightly different configuration we use because there are
some jsp files that are not part of the struts app portion which we
want to allow access.
What we do is put all out struts jsp's in to folder /struts then use
this <url-pattern>/struts/*</url-pattern> in the security constraint
to prevent access.
This works to prevent access because we don't declare any Roles, no
roles mean no access.
<security-constraint>
<display-name>Prevent access to raw pages.</display-name>
<web-resource-collection>
<web-resource-name>Raw Pages</web-resource-name>
<url-pattern>/error.jsp</url-pattern>
<url-pattern>/struts/*</url-pattern>
<url-pattern>/META-INF/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>No roles, so no direct access</description>
</auth-constraint>
</security-constraint>
On Thu, Feb 18, 2010 at 2:41 AM, Lukasz Lenart
<lukasz.len...@googlemail.com> wrote:
> 2010/2/18 Cimballi <cimballi.cimba...@gmail.com>:
>> The default pattern is to put all JSPs under WEB-INF and so you force
>> the call to an action to access them.
>
> As I know, it works only under Tomcat - it isn't standard. Better
> solution is to use security constraint section in web.xml
>
> <security-constraint>
> <display-name>Access to JSP files</display-name>
> <web-resource-name>JSP</web-resource-name>
> <web-resource-collection>
> <url-pattern>*.jsp</url-pattern>
> </web-resource-collection>
> <auth-constraint/>
> </security-constraint>
>
>
> Regards
> --
> Łukasz
> http://www.lenart.org.pl/
> Kapituła Javarsovia 2010
> http://javarsovia.pl
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
