On Wed, Aug 22, 2018 at 11:44 AM, Berneburg, Cris J. - US <cberneb...@caci.com> wrote: > Hi Woonsan > > cjb> I'd like to prevent users from requesting JSP pages directly > > cjb> a. [...] adding a <security-constraint> for each folder. > > cjb> b. [...] JSP files under the WEB-INF folder. > > wk> c. Implement a servlet filter which is mapped to /* with > wk> dispatcher options: REQUEST, INCLUDE, FORWARD. The filter may > wk> check the request URI or include/forward URI (through request > wk> attributes). > > wk> The chapter 6 of the servlet spec [1] describes what Filter is, > wk> when/how it can be used, its lifecycle, etc. Dispatcher options > wk> are explained in 6.2.5. Your servlet filter implementation may > wk> be invoked as pre-processing component before other resources > wk> or servlets. When .jsp is accessed directly, your filter may > wk> be invoked as REQUEST dispatcher option (the default unless > wk> configured manually), you can check the resource path info > wk> through HttpRequestServlet#getRequestURI(). e.g, > wk> /examples/hello.jsp. If you want to check the cases where the > wk> JSP is included or forwarded through RequestDispatcher, you may > wk> check servlet request attributes described in the section 9.3.1 > wk> (for inclusion) or 9.4.2 (for forwarding). So, you might want to > wk> check include/forward path first and find requestURI afterward > wk> to check everything and modify the response as a result. For > wk> example, you can choose to send a 4xx response if the condition > wk> doesn't meet your requirement. All of those are based on > wk> servlet standards. > > I'm afraid this is a bit more advanced than where I currently am ATM and > possibly what my project requires. It was just an option. ;-) Feel free to ignore. It's you to judge your case best.
Woonsan > > Also, I am reminded of the textbook phrase, "the rest is left as an exercise > to the reader". :-) Or a presenter... > > -- > Cris Berneburg > CACI Lead Software Engineer > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org