You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by Oleg V Alexeev <go...@penza.net> on 2000/11/15 06:59:49 UTC

Re[2]: *.jsp "back door" issue

Hello David,

Tuesday, November 14, 2000, 11:19:40 PM, you wrote:

DG> Joel Schneider wrote:

>> However, it's also possible for users to directly request a .jsp page.
>> When this happens, the JSP container (in my case, Orion) will process the
>> .jsp page without any involvement by the ActionServlet.  Some .jsp pages
>> may yield unexpected results when called in this manner.

DG> Put those JSP pages in a directory under WEB-INF; for example, WEB-INF/jsp.
DG> Files under the WEB-INF directory cannot be directly accessed.

But pages can be redirected - not forwarded only. How can we do it in
this case?

-- 
Best regards,
 Oleg                            mailto:gonza@penza.net

Re: Re[2]: *.jsp "back door" issue

Posted by Joel Schneider <js...@cariboulake.com>.

On Wed, 15 Nov 2000, Oleg V Alexeev wrote:

> Hello David,
> 
> Tuesday, November 14, 2000, 11:19:40 PM, you wrote:
> 
> DG> Joel Schneider wrote:
> 
> >> However, it's also possible for users to directly request a .jsp page.
> >> When this happens, the JSP container (in my case, Orion) will process the
> >> .jsp page without any involvement by the ActionServlet.  Some .jsp pages
> >> may yield unexpected results when called in this manner.
> 
> DG> Put those JSP pages in a directory under WEB-INF; for example, WEB-INF/jsp.
> DG> Files under the WEB-INF directory cannot be directly accessed.
> 
> But pages can be redirected - not forwarded only. How can we do it in
> this case?
> 

It should be possible to redirect to the "*.do" mappings defined in
action.xml.  Simply redirect to, for example, "/login.do", etc.

Joel