You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by abhishek reddy <ab...@gmail.com> on 2009/06/18 15:32:13 UTC
how to prevent users from directly accessing jsp files
how to prevent users from directly accessing jsp files, rather they have to
come thru sturts action?
--
Abhishek
Re: how to prevent users from directly accessing jsp files
Posted by Jim Kiley <jh...@summa-tech.com>.
Put the JSPs under /WEB-INF/ and refer to them as the destination of your
Struts action results.
jk
On Thu, Jun 18, 2009 at 9:32 AM, abhishek reddy <ab...@gmail.com>wrote:
> how to prevent users from directly accessing jsp files, rather they have to
> come thru sturts action?
>
> --
> Abhishek
>
--
Jim Kiley
Senior Technical Consultant | Summa
[p] 412.258.3346
http://www.summa-tech.com
RE: how to prevent users from directly accessing jsp files
Posted by Sathishkumar Thiyagarajan <Sa...@webex.com>.
Vishnu,
If you would like to secure particular file extension try giving it as
below.
<url-pattern>*.jsp</url-pattern>
Hope it solves your issue.
Regards,
Sathish Kumar T
-----Original Message-----
From: Vishnu Vyasan Nelliparmbil [mailto:vishnu@MUN.GOV.BH]
Sent: Thursday, June 25, 2009 12:55 PM
To: Struts Users Mailing List
Subject: RE: how to prevent users from directly accessing jsp files
Even I am facing the same problem.
<security-constraint>
<web-resource-collection>
<web-resource-name>All JSP direct access</web-resource-name>
<url-pattern>/pages/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>
No Access
</description>
<role-name>restricted</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>NO Access</description>
<role-name>restricted</role-name>
</security-role>
Up on restricting as given above, the container is not allowing the
struts to access the JSP page. Its asking for a user name and password.
Where I am wrong here?
My requirement is that, user should be able to access the jsp pages only
through the actions.
Regards
Vishnu
-----Original Message-----
From: Kishan G. Chellap Paandy
[mailto:kishanchellapaandy_g@spanservices.com]
Sent: 23 June 2009 07:06
To: Struts Users Mailing List
Subject: RE: how to prevent users from directly accessing jsp files
I tried something like below it worked
<security-constraint>
<web-resource-collection>
<web-resource-name>All JSP direct access</web-resource-name>
<url-pattern>/jsp/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>
No Access
</description>
<role-name>restricted</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>NO Access</description>
<role-name>restricted</role-name>
</security-role>
Thank you.
Regards,
Kishan.G
Team Leader.
www.spansystems.com
-----Original Message-----
From: Girish Naik [mailto:girish.naik@gmail.com]
Sent: Friday, June 19, 2009 8:19 PM
To: Struts Users Mailing List
Subject: Re: how to prevent users from directly accessing jsp files
But in that case the css, images, js is compromised rite?
What if I want all to be secured?
Regards,
---------------------------------------------------------
Girish Naik
Mobile:-+91-09740091638
girish.naik@gmail.com
Fran
Lebowitz<http://www.brainyquote.com/quotes/authors/f/fran_lebowitz.html>
- "Life is something to do when you can't get to sleep."
On Fri, Jun 19, 2009 at 7:15 PM, Greg Lindholm
<gr...@gmail.com>wrote:
> > I tried putting the below string in web.xml, but all my css, js
from
> the
> > application got blocked. But pages are coming. Is something missing
or
> some
> > extra thing to be done?
> >
> > <security-constraint>
> > <display-name>Prevent access to raw pages.</display-name>
> > <web-resource-collection>
> > <web-resource-name>Raw Pages</web-resource-name>
> > <url-pattern>/struts/*</url-pattern>
> > </web-resource-collection>
> > <auth-constraint>
> > <description>No roles, so no direct access</description>
> > </auth-constraint>
> > </security-constraint>
> >
> >
> >
> > Regards,
> > ---------------------------------------------------------
> > Girish Naik
> >
>
> The way this security constraint works is it prevents direct access to
the
> area defined
> by the <url-pattern>/struts/*</url-pattern> elements (you can have
> multiple). In this case
> we put our jsp files under /struts/ folder.
>
> You can name the folder whatever you like but only put jsp files in
it.
> You
> need to put
> your css and js file someplace else.
>
> Our typical layout for webroot is:
> /
> css/
> images/
> js/
> struts/
> WEB-INF/
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
RE: how to prevent users from directly accessing jsp files
Posted by Vishnu Vyasan Nelliparmbil <vi...@MUN.GOV.BH>.
Even I am facing the same problem.
<security-constraint>
<web-resource-collection>
<web-resource-name>All JSP direct access</web-resource-name>
<url-pattern>/pages/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>
No Access
</description>
<role-name>restricted</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>NO Access</description>
<role-name>restricted</role-name>
</security-role>
Up on restricting as given above, the container is not allowing the
struts to access the JSP page. Its asking for a user name and password.
Where I am wrong here?
My requirement is that, user should be able to access the jsp pages only
through the actions.
Regards
Vishnu
-----Original Message-----
From: Kishan G. Chellap Paandy
[mailto:kishanchellapaandy_g@spanservices.com]
Sent: 23 June 2009 07:06
To: Struts Users Mailing List
Subject: RE: how to prevent users from directly accessing jsp files
I tried something like below it worked
<security-constraint>
<web-resource-collection>
<web-resource-name>All JSP direct access</web-resource-name>
<url-pattern>/jsp/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>
No Access
</description>
<role-name>restricted</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>NO Access</description>
<role-name>restricted</role-name>
</security-role>
Thank you.
Regards,
Kishan.G
Team Leader.
www.spansystems.com
-----Original Message-----
From: Girish Naik [mailto:girish.naik@gmail.com]
Sent: Friday, June 19, 2009 8:19 PM
To: Struts Users Mailing List
Subject: Re: how to prevent users from directly accessing jsp files
But in that case the css, images, js is compromised rite?
What if I want all to be secured?
Regards,
---------------------------------------------------------
Girish Naik
Mobile:-+91-09740091638
girish.naik@gmail.com
Fran
Lebowitz<http://www.brainyquote.com/quotes/authors/f/fran_lebowitz.html>
- "Life is something to do when you can't get to sleep."
On Fri, Jun 19, 2009 at 7:15 PM, Greg Lindholm
<gr...@gmail.com>wrote:
> > I tried putting the below string in web.xml, but all my css, js
from
> the
> > application got blocked. But pages are coming. Is something missing
or
> some
> > extra thing to be done?
> >
> > <security-constraint>
> > <display-name>Prevent access to raw pages.</display-name>
> > <web-resource-collection>
> > <web-resource-name>Raw Pages</web-resource-name>
> > <url-pattern>/struts/*</url-pattern>
> > </web-resource-collection>
> > <auth-constraint>
> > <description>No roles, so no direct access</description>
> > </auth-constraint>
> > </security-constraint>
> >
> >
> >
> > Regards,
> > ---------------------------------------------------------
> > Girish Naik
> >
>
> The way this security constraint works is it prevents direct access to
the
> area defined
> by the <url-pattern>/struts/*</url-pattern> elements (you can have
> multiple). In this case
> we put our jsp files under /struts/ folder.
>
> You can name the folder whatever you like but only put jsp files in
it.
> You
> need to put
> your css and js file someplace else.
>
> Our typical layout for webroot is:
> /
> css/
> images/
> js/
> struts/
> WEB-INF/
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
RE: how to prevent users from directly accessing jsp files
Posted by "Kishan G. Chellap Paandy" <ki...@spanservices.com>.
I tried something like below it worked
<security-constraint>
<web-resource-collection>
<web-resource-name>All JSP direct access</web-resource-name>
<url-pattern>/jsp/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>
No Access
</description>
<role-name>restricted</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>NO Access</description>
<role-name>restricted</role-name>
</security-role>
Thank you.
Regards,
Kishan.G
Team Leader.
www.spansystems.com
-----Original Message-----
From: Girish Naik [mailto:girish.naik@gmail.com]
Sent: Friday, June 19, 2009 8:19 PM
To: Struts Users Mailing List
Subject: Re: how to prevent users from directly accessing jsp files
But in that case the css, images, js is compromised rite?
What if I want all to be secured?
Regards,
---------------------------------------------------------
Girish Naik
Mobile:-+91-09740091638
girish.naik@gmail.com
Fran Lebowitz<http://www.brainyquote.com/quotes/authors/f/fran_lebowitz.html>
- "Life is something to do when you can't get to sleep."
On Fri, Jun 19, 2009 at 7:15 PM, Greg Lindholm <gr...@gmail.com>wrote:
> > I tried putting the below string in web.xml, but all my css, js from
> the
> > application got blocked. But pages are coming. Is something missing or
> some
> > extra thing to be done?
> >
> > <security-constraint>
> > <display-name>Prevent access to raw pages.</display-name>
> > <web-resource-collection>
> > <web-resource-name>Raw Pages</web-resource-name>
> > <url-pattern>/struts/*</url-pattern>
> > </web-resource-collection>
> > <auth-constraint>
> > <description>No roles, so no direct access</description>
> > </auth-constraint>
> > </security-constraint>
> >
> >
> >
> > Regards,
> > ---------------------------------------------------------
> > Girish Naik
> >
>
> The way this security constraint works is it prevents direct access to the
> area defined
> by the <url-pattern>/struts/*</url-pattern> elements (you can have
> multiple). In this case
> we put our jsp files under /struts/ folder.
>
> You can name the folder whatever you like but only put jsp files in it.
> You
> need to put
> your css and js file someplace else.
>
> Our typical layout for webroot is:
> /
> css/
> images/
> js/
> struts/
> WEB-INF/
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: how to prevent users from directly accessing jsp files
Posted by Girish Naik <gi...@gmail.com>.
OMG!! now i need to write a new Web Browser ;)
Regards,
---------------------------------------------------------
Girish Naik
Mobile:-+91-09740091638
girish.naik@gmail.com
Rodney Dangerfield<http://www.brainyquote.com/quotes/authors/r/rodney_dangerfield.html>
- "What a dog I got, his favorite bone is in my arm."
On Fri, Jun 19, 2009 at 8:43 PM, Greg Lindholm <gr...@gmail.com>wrote:
> On Fri, Jun 19, 2009 at 10:48 AM, Girish Naik <gi...@gmail.com>
> wrote:
>
> > But in that case the css, images, js is compromised rite?
> > What if I want all to be secured?
> >
> >
> > Regards,
> > ---------------------------------------------------------
> > Girish Naik
> >
>
> Wrong. You have to allow direct access the css, image and js files. That's
> the way web browsers work, ever css, js, and image link you have in a web
> page is retrieved by your web browser with a separate HTTP GET request.
>
Re: how to prevent users from directly accessing jsp files
Posted by Greg Lindholm <gr...@gmail.com>.
On Fri, Jun 19, 2009 at 10:48 AM, Girish Naik <gi...@gmail.com> wrote:
> But in that case the css, images, js is compromised rite?
> What if I want all to be secured?
>
>
> Regards,
> ---------------------------------------------------------
> Girish Naik
>
Wrong. You have to allow direct access the css, image and js files. That's
the way web browsers work, ever css, js, and image link you have in a web
page is retrieved by your web browser with a separate HTTP GET request.
Re: how to prevent users from directly accessing jsp files
Posted by Girish Naik <gi...@gmail.com>.
But in that case the css, images, js is compromised rite?
What if I want all to be secured?
Regards,
---------------------------------------------------------
Girish Naik
Mobile:-+91-09740091638
girish.naik@gmail.com
Fran Lebowitz<http://www.brainyquote.com/quotes/authors/f/fran_lebowitz.html>
- "Life is something to do when you can't get to sleep."
On Fri, Jun 19, 2009 at 7:15 PM, Greg Lindholm <gr...@gmail.com>wrote:
> > I tried putting the below string in web.xml, but all my css, js from
> the
> > application got blocked. But pages are coming. Is something missing or
> some
> > extra thing to be done?
> >
> > <security-constraint>
> > <display-name>Prevent access to raw pages.</display-name>
> > <web-resource-collection>
> > <web-resource-name>Raw Pages</web-resource-name>
> > <url-pattern>/struts/*</url-pattern>
> > </web-resource-collection>
> > <auth-constraint>
> > <description>No roles, so no direct access</description>
> > </auth-constraint>
> > </security-constraint>
> >
> >
> >
> > Regards,
> > ---------------------------------------------------------
> > Girish Naik
> >
>
> The way this security constraint works is it prevents direct access to the
> area defined
> by the <url-pattern>/struts/*</url-pattern> elements (you can have
> multiple). In this case
> we put our jsp files under /struts/ folder.
>
> You can name the folder whatever you like but only put jsp files in it.
> You
> need to put
> your css and js file someplace else.
>
> Our typical layout for webroot is:
> /
> css/
> images/
> js/
> struts/
> WEB-INF/
>
Re: how to prevent users from directly accessing jsp files
Posted by Greg Lindholm <gr...@gmail.com>.
> I tried putting the below string in web.xml, but all my css, js from the
> application got blocked. But pages are coming. Is something missing or some
> extra thing to be done?
>
> <security-constraint>
> <display-name>Prevent access to raw pages.</display-name>
> <web-resource-collection>
> <web-resource-name>Raw Pages</web-resource-name>
> <url-pattern>/struts/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <description>No roles, so no direct access</description>
> </auth-constraint>
> </security-constraint>
>
>
>
> Regards,
> ---------------------------------------------------------
> Girish Naik
>
The way this security constraint works is it prevents direct access to the
area defined
by the <url-pattern>/struts/*</url-pattern> elements (you can have
multiple). In this case
we put our jsp files under /struts/ folder.
You can name the folder whatever you like but only put jsp files in it. You
need to put
your css and js file someplace else.
Our typical layout for webroot is:
/
css/
images/
js/
struts/
WEB-INF/
Re: how to prevent users from directly accessing jsp files
Posted by Girish Naik <gi...@gmail.com>.
Hi,
I tried putting the below string in web.xml, but all my css, js from the
application got blocked. But pages are coming. Is something missing or some
extra thing to be done?
<security-constraint>
<display-name>Prevent access to raw pages.</display-name>
<web-resource-collection>
<web-resource-name>Raw Pages</web-resource-name>
<url-pattern>/struts/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>No roles, so no direct access</description>
</auth-constraint>
</security-constraint>
Regards,
---------------------------------------------------------
Girish Naik
Mobile:-+91-09740091638
girish.naik@gmail.com
Fran Lebowitz<http://www.brainyquote.com/quotes/authors/f/fran_lebowitz.html>
- "Life is something to do when you can't get to sleep."
On Thu, Jun 18, 2009 at 9:04 PM, Greg Lindholm <gr...@gmail.com>wrote:
> On Thu, Jun 18, 2009 at 11:25 AM, Girish Naik <gi...@gmail.com>
> wrote:
>
> > yes it will not show the directory listing. but how now a user has to
> guess
> > ur jsp name and its folder location which i think is difficult. And
> keeping
> > the jsps inside WEB-INF will make the coder to add the WEB-INF before the
> > page location. :(
> >
> > Everyone should know that "obscurity is not security". Your users may not
> need to guess, the disgruntled programmer you fired last week will publish
> all your security weaknesses on an anonymous blog so everyone knows.
>
> At one point in time a few years ago you couldn't count on all web servers
> obeying the "don't expose WEB-INF" rule. Be sure you test your solution
> with the web server you will be using.
>
>
>
> >
> > Regards,
> > ---------------------------------------------------------
> > Girish Naik
> > Mobile:-+91-09740091638
> > girish.naik@gmail.com
> > George Carlin<
> > http://www.brainyquote.com/quotes/authors/g/george_carlin.html>
> > - "Electricity is really just organized lightning."
> >
> > On Thu, Jun 18, 2009 at 8:45 PM, Jan T. Kim <j....@uea.ac.uk> wrote:
> >
> > > On Thu, Jun 18, 2009 at 07:47:45PM +0530, Girish Naik wrote:
> > > > Go to Tomcat Home/conf/web.xml file. in this file put listings as
> > false.
> > > > <init-param>
> > > > <param-name>listings</param-name>
> > > > <param-value>false</param-value>
> > > > </init-param>
> > > >
> > > > Regards,
> > > > ---------------------------------------------------------
> > > > Girish Naik
> > >
> > > doesn't that still allow access by direct URL to the JSP? I think
> > > it disables directory listings only.
> > >
> > > Anyway, perhaps the easiest solution is to put such JSPs in a
> > subdirectory
> > > of WEB-INF. The web container must not expose that hierarchy via HTTP
> > > (see servlet spec, section 9.5). I like to keep my JSPs in
> /WEB-INF/views
> > .
> > >
> > > Best regards, Jan
> > >
> >
>
Re: how to prevent users from directly accessing jsp files
Posted by Greg Lindholm <gr...@gmail.com>.
On Thu, Jun 18, 2009 at 11:25 AM, Girish Naik <gi...@gmail.com> wrote:
> yes it will not show the directory listing. but how now a user has to guess
> ur jsp name and its folder location which i think is difficult. And keeping
> the jsps inside WEB-INF will make the coder to add the WEB-INF before the
> page location. :(
>
> Everyone should know that "obscurity is not security". Your users may not
need to guess, the disgruntled programmer you fired last week will publish
all your security weaknesses on an anonymous blog so everyone knows.
At one point in time a few years ago you couldn't count on all web servers
obeying the "don't expose WEB-INF" rule. Be sure you test your solution
with the web server you will be using.
>
> Regards,
> ---------------------------------------------------------
> Girish Naik
> Mobile:-+91-09740091638
> girish.naik@gmail.com
> George Carlin<
> http://www.brainyquote.com/quotes/authors/g/george_carlin.html>
> - "Electricity is really just organized lightning."
>
> On Thu, Jun 18, 2009 at 8:45 PM, Jan T. Kim <j....@uea.ac.uk> wrote:
>
> > On Thu, Jun 18, 2009 at 07:47:45PM +0530, Girish Naik wrote:
> > > Go to Tomcat Home/conf/web.xml file. in this file put listings as
> false.
> > > <init-param>
> > > <param-name>listings</param-name>
> > > <param-value>false</param-value>
> > > </init-param>
> > >
> > > Regards,
> > > ---------------------------------------------------------
> > > Girish Naik
> >
> > doesn't that still allow access by direct URL to the JSP? I think
> > it disables directory listings only.
> >
> > Anyway, perhaps the easiest solution is to put such JSPs in a
> subdirectory
> > of WEB-INF. The web container must not expose that hierarchy via HTTP
> > (see servlet spec, section 9.5). I like to keep my JSPs in /WEB-INF/views
> .
> >
> > Best regards, Jan
> >
>
Re: how to prevent users from directly accessing jsp files
Posted by Girish Naik <gi...@gmail.com>.
yes it will not show the directory listing. but how now a user has to guess
ur jsp name and its folder location which i think is difficult. And keeping
the jsps inside WEB-INF will make the coder to add the WEB-INF before the
page location. :(
Regards,
---------------------------------------------------------
Girish Naik
Mobile:-+91-09740091638
girish.naik@gmail.com
George Carlin<http://www.brainyquote.com/quotes/authors/g/george_carlin.html>
- "Electricity is really just organized lightning."
On Thu, Jun 18, 2009 at 8:45 PM, Jan T. Kim <j....@uea.ac.uk> wrote:
> On Thu, Jun 18, 2009 at 07:47:45PM +0530, Girish Naik wrote:
> > Go to Tomcat Home/conf/web.xml file. in this file put listings as false.
> > <init-param>
> > <param-name>listings</param-name>
> > <param-value>false</param-value>
> > </init-param>
> >
> > Regards,
> > ---------------------------------------------------------
> > Girish Naik
>
> doesn't that still allow access by direct URL to the JSP? I think
> it disables directory listings only.
>
> Anyway, perhaps the easiest solution is to put such JSPs in a subdirectory
> of WEB-INF. The web container must not expose that hierarchy via HTTP
> (see servlet spec, section 9.5). I like to keep my JSPs in /WEB-INF/views .
>
> Best regards, Jan
>
> > Mobile:-+91-09740091638
> > girish.naik@gmail.com
> > Rodney Dangerfield<
> http://www.brainyquote.com/quotes/authors/r/rodney_dangerfield.html>
> > - "What a dog I got, his favorite bone is in my arm."
> >
> > On Thu, Jun 18, 2009 at 7:11 PM, Greg Lindholm <greg.lindholm@gmail.com
> >wrote:
> >
> > > We put all our jsp file into a /struts/ folder then add the following
> > > security contraint to web.xml
> > >
> > >
> > > <security-constraint>
> > > <display-name>Prevent access to raw pages.</display-name>
> > > <web-resource-collection>
> > > <web-resource-name>Raw Pages</web-resource-name>
> > > <url-pattern>/struts/*</url-pattern>
> > > </web-resource-collection>
> > > <auth-constraint>
> > > <description>No roles, so no direct access</description>
> > > </auth-constraint>
> > > </security-constraint>
> > >
> > >
> > > On Thu, Jun 18, 2009 at 9:32 AM, abhishek reddy <
> abhishek.c1984@gmail.com
> > > >wrote:
> > >
> > > > how to prevent users from directly accessing jsp files, rather they
> have
> > > to
> > > > come thru sturts action?
> > > >
> > > > --
> > > > Abhishek
> > > >
> > >
>
> --
> +- Jan T. Kim -------------------------------------------------------+
> | email: j.kim@uea.ac.uk |
> | WWW: http://www.cmp.uea.ac.uk/people/jtk |
> *-----=< hierarchical systems are for files, not for humans >=-----*
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
Re: how to prevent users from directly accessing jsp files
Posted by "Jan T. Kim" <j....@uea.ac.uk>.
On Thu, Jun 18, 2009 at 07:47:45PM +0530, Girish Naik wrote:
> Go to Tomcat Home/conf/web.xml file. in this file put listings as false.
> <init-param>
> <param-name>listings</param-name>
> <param-value>false</param-value>
> </init-param>
>
> Regards,
> ---------------------------------------------------------
> Girish Naik
doesn't that still allow access by direct URL to the JSP? I think
it disables directory listings only.
Anyway, perhaps the easiest solution is to put such JSPs in a subdirectory
of WEB-INF. The web container must not expose that hierarchy via HTTP
(see servlet spec, section 9.5). I like to keep my JSPs in /WEB-INF/views .
Best regards, Jan
> Mobile:-+91-09740091638
> girish.naik@gmail.com
> Rodney Dangerfield<http://www.brainyquote.com/quotes/authors/r/rodney_dangerfield.html>
> - "What a dog I got, his favorite bone is in my arm."
>
> On Thu, Jun 18, 2009 at 7:11 PM, Greg Lindholm <gr...@gmail.com>wrote:
>
> > We put all our jsp file into a /struts/ folder then add the following
> > security contraint to web.xml
> >
> >
> > <security-constraint>
> > <display-name>Prevent access to raw pages.</display-name>
> > <web-resource-collection>
> > <web-resource-name>Raw Pages</web-resource-name>
> > <url-pattern>/struts/*</url-pattern>
> > </web-resource-collection>
> > <auth-constraint>
> > <description>No roles, so no direct access</description>
> > </auth-constraint>
> > </security-constraint>
> >
> >
> > On Thu, Jun 18, 2009 at 9:32 AM, abhishek reddy <abhishek.c1984@gmail.com
> > >wrote:
> >
> > > how to prevent users from directly accessing jsp files, rather they have
> > to
> > > come thru sturts action?
> > >
> > > --
> > > Abhishek
> > >
> >
--
+- Jan T. Kim -------------------------------------------------------+
| email: j.kim@uea.ac.uk |
| WWW: http://www.cmp.uea.ac.uk/people/jtk |
*-----=< hierarchical systems are for files, not for humans >=-----*
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: how to prevent users from directly accessing jsp files
Posted by Girish Naik <gi...@gmail.com>.
Go to Tomcat Home/conf/web.xml file. in this file put listings as false.
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
Regards,
---------------------------------------------------------
Girish Naik
Mobile:-+91-09740091638
girish.naik@gmail.com
Rodney Dangerfield<http://www.brainyquote.com/quotes/authors/r/rodney_dangerfield.html>
- "What a dog I got, his favorite bone is in my arm."
On Thu, Jun 18, 2009 at 7:11 PM, Greg Lindholm <gr...@gmail.com>wrote:
> We put all our jsp file into a /struts/ folder then add the following
> security contraint to web.xml
>
>
> <security-constraint>
> <display-name>Prevent access to raw pages.</display-name>
> <web-resource-collection>
> <web-resource-name>Raw Pages</web-resource-name>
> <url-pattern>/struts/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <description>No roles, so no direct access</description>
> </auth-constraint>
> </security-constraint>
>
>
> On Thu, Jun 18, 2009 at 9:32 AM, abhishek reddy <abhishek.c1984@gmail.com
> >wrote:
>
> > how to prevent users from directly accessing jsp files, rather they have
> to
> > come thru sturts action?
> >
> > --
> > Abhishek
> >
>
Re: how to prevent users from directly accessing jsp files
Posted by abhishek reddy <ab...@gmail.com>.
Can you please explain this a bit more.....iam using Tiles Definiton
On Thu, Jun 18, 2009 at 7:11 PM, Greg Lindholm <gr...@gmail.com>wrote:
> We put all our jsp file into a /struts/ folder then add the following
> security contraint to web.xml
>
>
> <security-constraint>
> <display-name>Prevent access to raw pages.</display-name>
> <web-resource-collection>
> <web-resource-name>Raw Pages</web-resource-name>
> <url-pattern>/struts/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <description>No roles, so no direct access</description>
> </auth-constraint>
> </security-constraint>
>
>
> On Thu, Jun 18, 2009 at 9:32 AM, abhishek reddy <abhishek.c1984@gmail.com
> >wrote:
>
> > how to prevent users from directly accessing jsp files, rather they have
> to
> > come thru sturts action?
> >
> > --
> > Abhishek
> >
>
--
Abhishek
Re: how to prevent users from directly accessing jsp files
Posted by Greg Lindholm <gr...@gmail.com>.
We put all our jsp file into a /struts/ folder then add the following
security contraint to web.xml
<security-constraint>
<display-name>Prevent access to raw pages.</display-name>
<web-resource-collection>
<web-resource-name>Raw Pages</web-resource-name>
<url-pattern>/struts/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>No roles, so no direct access</description>
</auth-constraint>
</security-constraint>
On Thu, Jun 18, 2009 at 9:32 AM, abhishek reddy <ab...@gmail.com>wrote:
> how to prevent users from directly accessing jsp files, rather they have to
> come thru sturts action?
>
> --
> Abhishek
>