You are viewing a plain text version of this content. The canonical link for it is here.
Posted to general@jakarta.apache.org by Dennis Thrysoe - Netnord A/S <dt...@netnord.dk> on 2001/01/08 20:16:50 UTC
Hidden JSP?
Hello,
I would greatly appreciate a bit of advice from the gurus on a task I'm
facing.
I need to configure a Tomcate instance, so that a servlet mounted at the
root of the website (/) is able to include JSP that can *not* be
accessed from the website.
The only way I have found so far is making a second context from the one
the servlet is mounted in, getting a RequestDispatcher for this context
and then forwarding. But this solution makes it possible for the users
tio just enter the context name and access the JSP directly.
To solve this I would need to somehow 'disable' the context for access
from outside Tomcat.
So to make a long question short: Is there any way to include a 'hidden'
JSP file?
Any help appreciated, TIA,
Dennis Thrysøe
Re: Hidden JSP?
Posted by Hans Bergsten <ha...@gefionsoftware.com>.
Dennis Thrysoe - Netnord A/S wrote:
>
> Hello,
>
> I would greatly appreciate a bit of advice from the gurus on a task I'm
> facing.
>
> I need to configure a Tomcate instance, so that a servlet mounted at the
> root of the website (/) is able to include JSP that can *not* be
> accessed from the website.
>
> The only way I have found so far is making a second context from the one
> the servlet is mounted in, getting a RequestDispatcher for this context
> and then forwarding. But this solution makes it possible for the users
> tio just enter the context name and access the JSP directly.
> To solve this I would need to somehow 'disable' the context for access
> from outside Tomcat.
>
> So to make a long question short: Is there any way to include a 'hidden'
> JSP file?
You can define a security constraint for the JSP pages and only allow
access to a role that you do not assign any users to. Security
constraints
are not applied when you use a RequestDispatcher (since it's an internal
call within the application), so the effect is that no one can access
the JSP pages directly, only through your servlet.
Hans
PS. This is not a technique that's unique for Tomcat. It should work
in any Servlet 2.2 compliant container.
--
Hans Bergsten hans@gefionsoftware.com
Gefion Software http://www.gefionsoftware.com
Author of JavaServer Pages (O'Reilly), http://TheJSPBook.com