>From: Christopher Schultz [mailto:ch...@christopherschultz.net] >Subject: Re: WEB-INF > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Leo, > >I'll chime in. :) > >On 9/10/2010 10:13 AM, Leo Donahue - PLANDEVX wrote: >> I've read that you can secure direct access to a JSP by placing it in >> the WEB-INF directory. I know you can also secure direct access to a >> JSP by creating a security constraint using URL patterns and >> assigning role names that do not exist. >> >> I've also "heard" that when you secure a URL using a security >> constraint, that you are not securing the "resource". > >That depends on what you think the "resource" is. If it's a file on a >disk, than it is only "secure" if you secure all ways to retrieve it. If >you have multiple URLs that reference the same file on a disk, then yes, >you can "secure" one URL and not another and therefore your file is not >entirely "secure". > >Chuck doesn't come right out and say this, but I believe he's hinting at >the fact that files on a disk are largely irrelevant: they are an >implementation detail where HTTP is concerned: the URL is a request for >a resource. Securing that URL is securing the resource. The fact that >multiple resources might result in the same response (from the same file >on the disk) is just a coincidence. > >- -chris
The "heard" part I mentioned in my original post, was actually a comment from another forum. The comment: "The URL mapping, as its name implies, works on submitted URLs and doesn't protect resources" The comment was in reference to using a URL pattern in a security constraint, and I didn't understand the use of that phrase "...works on submitted URLs and doesn't protect resources". The Tomcat list cleared this up, thanks everyone. Leo