You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Dave J Dandeneau <Da...@viant.com> on 2001/12/18 21:41:15 UTC
Security when jsps aren't in WEB-INF
If you have high security requirements and you don't want to put your
jsps in the WEB-INF, then how should you do it? Can you use declarative
security to make sure no one accesses a jsp directly?
thanks,
dave dandeneau
Re: Security when jsps aren't in WEB-INF
Posted by Matt Raible <ma...@yahoo.com>.
The way that I've done it is to proxy all requests through an action. If I
need to access a JSP w/o going through an action, I've used a DefaultAction
that is mapped to unknown (search the archives for more on this). Then you can
protect /do/* (or .do*) in your web.xml.
You could also protect *.jsp but then you probably couldn't get to your login
pages if you're using form-based authentication.
HTH,
Matt
--- Dave J Dandeneau <Da...@viant.com> wrote:
> If you have high security requirements and you don't want to put your
> jsps in the WEB-INF, then how should you do it? Can you use declarative
> security to make sure no one accesses a jsp directly?
>
> thanks,
> dave dandeneau
>
__________________________________________________
Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>