You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Nicolas Moldavsky <ni...@caraytech.com> on 2001/07/10 22:33:38 UTC

Restricting access to certain type of files

We have developed an application using JBoss and Tomcat 3.2.1 and we need
to restrict access to .jsp files which are used as includes.  We use files
like header.jsp and footer.jsp which are included from servlets, but we
don't want users to be able to access /header.jsp without going through
the servlet.  All the JSP files are executed from servlets and none should
be accessed directly.  I've tried removing the mapping for the .jsp
extension in web.xml but nothing changed.  Is there an easy way to deny
access to all .jsp URLs, but which will still allow includes from inside
servlets to work?

I.e, something like this:

<FilesMatch "\.jsp$">
	deny from all
</FilesMatch>

Thanks,
	Nicolas Moldavsky
	nico@caraytech.com

Re: Restricting access to certain type of files

Posted by Thomas Jones <wo...@bellsouth.net>.

There are several ways to do this, one that I have found effective is the
following:

In the servlet, right before the RequestDispatcher.include set an attribute
on the request object.  It is important to set an attribute and not a
session variable.  At the top of the include for the JSP file, check for the
set attribute.  If the attribute exists then you know the request came from
your servlet.  If it does not exists then you can forward to some error page
as appropriate.

Cheers,

Thomas Jones

----- Original Message -----
From: "Nicolas Moldavsky" <ni...@caraytech.com>
To: <to...@jakarta.apache.org>
Sent: Tuesday, July 10, 2001 4:33 PM
Subject: Restricting access to certain type of files


> We have developed an application using JBoss and Tomcat 3.2.1 and we need
> to restrict access to .jsp files which are used as includes.  We use files
> like header.jsp and footer.jsp which are included from servlets, but we
> don't want users to be able to access /header.jsp without going through
> the servlet.  All the JSP files are executed from servlets and none should
> be accessed directly.  I've tried removing the mapping for the .jsp
> extension in web.xml but nothing changed.  Is there an easy way to deny
> access to all .jsp URLs, but which will still allow includes from inside
> servlets to work?
>
> I.e, something like this:
>
> <FilesMatch "\.jsp$">
> deny from all
> </FilesMatch>
>
> Thanks,
> Nicolas Moldavsky
> nico@caraytech.com
>