You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Tim Coultas <tc...@helper.com> on 2001/04/18 00:42:08 UTC
Hiding JSPs from Public Access
Folks -
I have run into the common problem where visitors can get at my jsp files
even though I have set up log-in system of security using a central "traffic
circle" servlet that forwards users to jsp pages.
I have the servlets residing in a directory named jsp under the main context
directory.
However, a visitor can get the jsp pages by going to:
http://www.website.com/context/jsp/filename.jsp
I have tried to cut off access by placing this directory in the WEB-INF
directory, but I can still get to it at the URL above. Also, I have tried
to just dump all of the .jsp's into the WEB-INF directory (and not place
them in a sub-directory) and I can STILL get to them by at the URL above.
I have also tried to edit the web.xml security section by entering something
like "<url-pattern>/jsp/*</url-pattern>" and
"<url-pattern>/jsp/filename.jsp</url-pattern>" but this does not have any
effect.
How the heck do I do this?????
Has anyone been able to do it?????????
Thanks.
Tim Coultas
Re: Hiding JSPs from Public Access
Posted by Sam Newman <sa...@stamplets.com>.
I would guess you'd want to stick an action in that checks the current
session ID for user authentication info. If its not found, the rest of the
page isn't displayed (e.g. get a TagHandler to skip the rendering of the
rest of the page). Ideally you could do this via a Taglib and stick it at
the top of each page.
sam
----- Original Message -----
From: "Tim Coultas" <tc...@helper.com>
To: <to...@jakarta.apache.org>
Sent: Tuesday, April 17, 2001 11:42 PM
Subject: Hiding JSPs from Public Access
>
> Folks -
>
> I have run into the common problem where visitors can get at my jsp files
> even though I have set up log-in system of security using a central
"traffic
> circle" servlet that forwards users to jsp pages.
>
> I have the servlets residing in a directory named jsp under the main
context
> directory.
>
> However, a visitor can get the jsp pages by going to:
>
> http://www.website.com/context/jsp/filename.jsp
>
> I have tried to cut off access by placing this directory in the WEB-INF
> directory, but I can still get to it at the URL above. Also, I have tried
> to just dump all of the .jsp's into the WEB-INF directory (and not place
> them in a sub-directory) and I can STILL get to them by at the URL above.
>
> I have also tried to edit the web.xml security section by entering
something
> like "<url-pattern>/jsp/*</url-pattern>" and
> "<url-pattern>/jsp/filename.jsp</url-pattern>" but this does not have any
> effect.
>
> How the heck do I do this?????
>
> Has anyone been able to do it?????????
>
> Thanks.
>
> Tim Coultas
>
>