You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by Timothy Orme <to...@genome.med.harvard.edu> on 2009/05/15 20:36:18 UTC

Disabling JSP's

Hello All,

	I'm in the process of migrating pages from JSP's using snippets to struts actions. I'm wondering how people have disabled access to JSP's so that they cannot be accessed outside of the action anymore.
	Right now if I have an action like:

	<action name="ViewIndex" class="action.BaseAction">
		<result name="success">/private/index.jsp</result>
	</action>

	There is nothing preventing the user from just browsing directly to /private/index.jsp instead of accessing it through the Action URL. This could have some bad implications about security, but also 
might just look bad if a page that should be receiving data from an action no longer has the source.

	How have people worked around this in the past?

-Tim Orme


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Disabling JSP's

Posted by Scott Stanlick <st...@gmail.com>.

Put you pages under web-inf



On May 15, 2009, at 1:36 PM, Timothy Orme  
<to...@genome.med.harvard.edu> wrote:

> Hello All,
>
>    I'm in the process of migrating pages from JSP's using snippets  
> to struts actions. I'm wondering how people have disabled access to  
> JSP's so that they cannot be accessed outside of the action anymore.
>    Right now if I have an action like:
>
>    <action name="ViewIndex" class="action.BaseAction">
>        <result name="success">/private/index.jsp</result>
>    </action>
>
>    There is nothing preventing the user from just browsing directly  
> to /private/index.jsp instead of accessing it through the Action  
> URL. This could have some bad implications about security, but also  
> might just look bad if a page that should be receiving data from an  
> action no longer has the source.
>
>    How have people worked around this in the past?
>
> -Tim Orme
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Disabling JSP's

Posted by Timothy Orme <to...@genome.med.harvard.edu>.

Ah perfect, I was not aware this was the case. Thanks!

Jim Kiley wrote:
> Put the JSP under /WEB-INF -- it is accessible to Struts routing but not
> directly viewable by end clients.
> jk
> 
> On Fri, May 15, 2009 at 2:36 PM, Timothy Orme
> <to...@genome.med.harvard.edu>wrote:
> 
>> Hello All,
>>
>>        I'm in the process of migrating pages from JSP's using snippets to
>> struts actions. I'm wondering how people have disabled access to JSP's so
>> that they cannot be accessed outside of the action anymore.
>>        Right now if I have an action like:
>>
>>        <action name="ViewIndex" class="action.BaseAction">
>>                <result name="success">/private/index.jsp</result>
>>        </action>
>>
>>        There is nothing preventing the user from just browsing directly to
>> /private/index.jsp instead of accessing it through the Action URL. This
>> could have some bad implications about security, but also might just look
>> bad if a page that should be receiving data from an action no longer has the
>> source.
>>
>>        How have people worked around this in the past?
>>
>> -Tim Orme
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>>
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Disabling JSP's

Posted by Jim Kiley <jh...@summa-tech.com>.

Put the JSP under /WEB-INF -- it is accessible to Struts routing but not
directly viewable by end clients.
jk

On Fri, May 15, 2009 at 2:36 PM, Timothy Orme
<to...@genome.med.harvard.edu>wrote:

> Hello All,
>
>        I'm in the process of migrating pages from JSP's using snippets to
> struts actions. I'm wondering how people have disabled access to JSP's so
> that they cannot be accessed outside of the action anymore.
>        Right now if I have an action like:
>
>        <action name="ViewIndex" class="action.BaseAction">
>                <result name="success">/private/index.jsp</result>
>        </action>
>
>        There is nothing preventing the user from just browsing directly to
> /private/index.jsp instead of accessing it through the Action URL. This
> could have some bad implications about security, but also might just look
> bad if a page that should be receiving data from an action no longer has the
> source.
>
>        How have people worked around this in the past?
>
> -Tim Orme
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>


-- 
Jim Kiley
Senior Technical Consultant | Summa
[p] 412.258.3346
http://www.summa-tech.com

Re: Disabling JSP's

Posted by Lukasz Lenart <lu...@googlemail.com>.

Check that solution [1], is better and should works for any kind of
servlet container; putting files under WEB-INF is not always good
because there isn't strict specification to protect files under
WEB-INF - it works for Tomcat but I don't know if it does for others.

[1] http://www.java-samples.com/showtutorial.php?tutorialid=579


Regards
-- 
Lukasz
http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org