You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by "Hookom, Jacob" <Ja...@redline.mckhboc.com> on 2004/01/15 17:14:15 UTC
RE: JSP Protection
It depends on your web container if that's actually allowed. You should
check your container spec before moving all of your JSP's into the WEB-INF
folder. The other alternative is to create a filter that will get/put
requests to /jsp/* in your app.
(Weblogic for example will not compile JSP's within WEB-INF)
Regards,
Jacob
-----Original Message-----
From: Yee, Richard K,,DMDCWEST [mailto:Yeerk@osd.pentagon.mil]
Sent: Thursday, January 15, 2004 10:18 AM
To: 'Struts Users Mailing List'
Subject: RE: JSP Protection
Jürgen,
Put the JSP under the WEB-INF directory. Once there, it will only be
accessible from within your web application.
-Richard
-----Original Message-----
From: Jürgen Scheffler [mailto:Juergen.Scheffler@gmx.de]
Sent: Thursday, January 15, 2004 8:15 AM
To: struts-user@jakarta.apache.org
Subject: JSP Protection
Hi,
how do i block URL guessing?
if someone requests abc.com/secret_page.jsp
he gets it. In my Action i check if the user object has the right rights for
this action and then i forward him. But if guesses the jsp, he opens it.
Help me!
Jürgen
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org