Hi Kiran, On Tue, 2012-06-19 at 05:40 +0530, Kiran Badi wrote: > Hi All, > > I need your guidance again.I have bunch of JSP's close to 100+ which I > need to protect it from direct access. > By "direct access" do you mean that http://host/myapp/sample.jsp is returning the JSP source code rather than executing it? Or do you mean that you don't want any .jsp URLs to be accessible to users?
> I have this mapping in web xml and this is not working,It seems that > probably i need to define a role first and then use below settings.But > unfortunately my app is open internet application which does not use > realm at all. > > <security-constraint> > <display-name>DenyAccesstoDirectJSP</display-name> > <web-resource-collection> > <web-resource-name>sample.jsp</web-resource-name> > <description>Sample confirmation JSP</description> > <url-pattern>*.jsp</url-pattern> > <http-method>GET</http-method> > <http-method>POST</http-method> > </web-resource-collection> > </security-constraint> > This isn't going to help you. Dump it. > All my jsp's are residing in the webpages folder of project directory.I > know this is incorrect and probably gives direct access to jsp's. > > So I have some clarification to ask, > > 1. is their a way to tell tomcat to not to serve direct jsp's probably > via web xml > If by "serve direct jsp's" you mean "don't return source code" then, yes. Put them under your web app's directory. For example, if your web app's context is 'myapp' then in tomcat it will be deployed under <TC_BASE>/webapps/myapp. You could put them directly in this directory or group them under a separate directory; 'jsps' for instance. Then sample.jsp would be addressed as http://host/myapp/sample.jsp (or http://host/myapp/jsps/sample.jsp ) > 2. Is their any extra setting that is required if I move my JSP's inside > web-inf.I created a folder under web-inf and create sample hello > world.jsp and then tried to invoke that jsp but got 404 message. > First of all, it's WEB-INF. Case matters. No, there's no special "setting" that will directly expose anything under WEB-INF via a URL. That's the part of the Servlet Spec. It's a Good ThingĀ®. However, if you're trying to make your JSPs inaccessible via URLs, then you can move them there and have them indirectly accessed using a servlet which forwards the request to them. See ServletContext.getRequestDispatcher() and RequestDispatcher.forward(). Hopefully, you're trying to use or move toward the MVC (Model, View, Controller) pattern. If not, you should. Google "MVC design pattern". There are many, many frameworks that will make this easier for you (once you learn them): Struts, Spring MVC... If you're well into your project and don't want to add a framework to it you could write a simple servlet that uses an algorithm to map URI paths to JSPs then forwards to the JSP using a dispatcher. For instance, you could put your JSPs in myapp/WEB-INF/jsps. Then have the servlet map a URI such as /sample to /WEB-INF/jsps/sample.jsp (all relative to /myapp). This isn't a great approach because you really aren't separating the model from the view (all the app logic and display logic are housed in the JSP -- a maintenance nightmare). But if you don't have time to re-architect the app now, it will hide the .jsp's from "direct access". And it will put you in a slightly better position if/WHEN you do re-architect it. > - Kiran > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
signature.asc
Description: This is a digitally signed message part
