Due to security concerns and general fussiness on my part, I'd like to prevent
users from requesting JSP pages directly, except for the login page. I want
all requests to be handled by servlets. That way I can legitimately claim that
all requests are being validated, input scrubbed, JSP's cannot be taken
advantage of w/o their servlet chaperones being present, etc.
a. One way I read is by adding a <security-constraint> for each folder. One
use case is for JSP include files. That looks possible but makes it seem like
these are exceptions and not the rule. I want "deny, deny, deny" to be the
default and the one or 2 allowable JSP pages to be the exception.
b. Another way mentioned is by having most of the JSP files under the WEB-INF
folder. That way the users don't have access to the JSP's but the servlets do.
My understanding is a little wobbly here, because I can't conceptualize the
virtual path for files under WEB-INF when sending a response. (See line of
code below.) Also, that would require moving most of the JSP files.
> request.getRequestDispatcher("folder/file.jsp"); // what about WEB-INF?
Is there a "smart" way of doing this? Perhaps it would have been prudent to
organize the JSP folders "properly" in the first place, but we're way beyond
that now.
Got any comments, suggestions, advice?
Thanks. :-)
--
Cris Berneburg
CACI Lead Software Engineer
