On 6/19/2012 8:03 AM, Tim Watts wrote:
Hi Kiran,
On Tue, 2012-06-19 at 05:40 +0530, Kiran Badi wrote:
Hi All,
I need your guidance again.I have bunch of JSP's close to 100+ which I
need to protect it from direct access.
By "direct access" do you mean that http://host/myapp/sample.jsp is
returning the JSP source code rather than executing it? Or do you mean
that you don't want any .jsp URLs to be accessible to users?
No its not returning source code.I have couple of jsps where in I use EL
in those to access session objects and directly accessing those jsps is
not something I want.
I have this mapping in web xml and this is not working,It seems that
probably i need to define a role first and then use below settings.But
unfortunately my app is open internet application which does not use
realm at all.
<security-constraint>
<display-name>DenyAccesstoDirectJSP</display-name>
<web-resource-collection>
<web-resource-name>sample.jsp</web-resource-name>
<description>Sample confirmation JSP</description>
<url-pattern>*.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>
This isn't going to help you. Dump it.
Yup its not helping.
All my jsp's are residing in the webpages folder of project directory.I
know this is incorrect and probably gives direct access to jsp's.
So I have some clarification to ask,
1. is their a way to tell tomcat to not to serve direct jsp's probably
via web xml
If by "serve direct jsp's" you mean "don't return source code" then,
yes. Put them under your web app's directory. For example, if your web
app's context is 'myapp' then in tomcat it will be deployed under
<TC_BASE>/webapps/myapp. You could put them directly in this directory
or group them under a separate directory; 'jsps' for instance. Then
sample.jsp would be addressed as http://host/myapp/sample.jsp (or
http://host/myapp/jsps/sample.jsp )
Yup I have same setup.Still its not working.my bad.
2. Is their any extra setting that is required if I move my JSP's inside
web-inf.I created a folder under web-inf and create sample hello
world.jsp and then tried to invoke that jsp but got 404 message.
First of all, it's WEB-INF. Case matters.
Ok got it.
No, there's no special "setting" that will directly expose anything
under WEB-INF via a URL. That's the part of the Servlet Spec. It's a
Good ThingĀ®. However, if you're trying to make your JSPs inaccessible
via URLs, then you can move them there and have them indirectly accessed
using a servlet which forwards the request to them. See
ServletContext.getRequestDispatcher() and RequestDispatcher.forward().
Yup I have lot many of request dispatchers in servlets.Almost all my
JSP's are using data which is forwarded by servlets.I pull data from db
via servlet, store it in session scope,forward it to jsp and in jsp
access it via el.On logoff I remove attributes from the session.
Hopefully, you're trying to use or move toward the MVC (Model, View,
Controller) pattern. If not, you should. Google "MVC design pattern".
There are many, many frameworks that will make this easier for you (once
you learn them): Struts, Spring MVC...
If you're well into your project and don't want to add a framework to it
you could write a simple servlet that uses an algorithm to map URI paths
to JSPs then forwards to the JSP using a dispatcher. For instance, you
could put your JSPs in myapp/WEB-INF/jsps. Then have the servlet map a
URI such as /sample to /WEB-INF/jsps/sample.jsp (all relative
to /myapp).
http://localhost:8080/mysite/WEB-INF/jsp/newjsp.jsp
I just created folder jsp under WEB-INF and then added newjsp.jsp(this
is hello world jsp) and then ran the file.I get 404 error. I am trying
all this with netbeans.
This isn't a great approach because you really aren't separating the
model from the view (all the app logic and display logic are housed in
the JSP -- a maintenance nightmare). But if you don't have time to
re-architect the app now, it will hide the .jsp's from "direct access".
And it will put you in a slightly better position if/WHEN you do
re-architect it.
I think I am using kind of MVC pattern of course the one used around 6
to 8 years back.I am using jsp as view, servlet as kind controller and
then some beans/jstl and el to make my life easy somewhat. I would love
to work with frameworks like spring or struts someday.
Ok let me explain as what I need again,
I have form A with say about 10 fields, lets call this as jsp A. So in
browser bar it looks like http://localhost:8080/mysite/A.jsp
User fills this A.jsp and then clicks Submit button. It posts the form
to Servlet B which does insert in the database and then forwards the
request via request dispatcher to C.jsp which has some confirmation
details in it.(Unique reference ids pulled out from DB).
Now with my existing setup if I directly give url like
http://localhost:8080/mysite/C.jsp I go directly to C Jsp which I
should not because its not suppose to be accessed directly.
I want to block this behaviour and its this behaviour I call direct
access to JSP.
I dont get source code of any of my JSP's.my setup is pretty simple with
just j2ee stuff and tomcat.
- Kiran
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
