Security when jsps aren't in WEB-INF

[Dave J Dandeneau <Da...@viant.com>]

If you have high security requirements and you don't want to put your
jsps in the WEB-INF, then how should you do it? Can you use declarative
security to make sure no one accesses a jsp directly?

thanks,
dave dandeneau

Re: Security when jsps aren't in WEB-INF

[Matt Raible <ma...@yahoo.com>]

The way that I've done it is to proxy all requests through an action.  If I
need to access a JSP w/o going through an action, I've used a DefaultAction
that is mapped to unknown (search the archives for more on this).  Then you can
protect /do/* (or .do*) in your web.xml.

You could also protect *.jsp but then you probably couldn't get to your login
pages if you're using form-based authentication.

HTH,

Matt

--- Dave J Dandeneau <Da...@viant.com> wrote:
> If you have high security requirements and you don't want to put your
> jsps in the WEB-INF, then how should you do it? Can you use declarative
> security to make sure no one accesses a jsp directly?
> 
> thanks,
> dave dandeneau
> 


__________________________________________________
Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>