You are viewing a plain text version of this content. The canonical link for it is here.

Posted to general@jakarta.apache.org by Dennis Thrysoe - Netnord A/S <dt...@netnord.dk> on 2001/01/08 20:16:50 UTC

Hidden JSP?

Hello,

I would greatly appreciate a bit of advice from the gurus on a task I'm 
facing.

I need to configure a Tomcate instance, so that a servlet mounted at the 
root of the website (/) is able to include JSP that can *not* be 
accessed from the website.

The only way I have found so far is making a second context from the one 
the servlet is mounted in, getting a RequestDispatcher for this context 
and then forwarding. But this solution makes it possible for the users 
tio just enter the context name and access the JSP directly.
To solve this I would need to somehow 'disable' the context for access 
from outside Tomcat.

So to make a long question short: Is there any way to include a 'hidden' 
JSP file?

Any help appreciated, TIA,

Dennis Thrysøe

Re: Hidden JSP?

Posted by Hans Bergsten <ha...@gefionsoftware.com>.

Dennis Thrysoe - Netnord A/S wrote:
> 
> Hello,
> 
> I would greatly appreciate a bit of advice from the gurus on a task I'm
> facing.
> 
> I need to configure a Tomcate instance, so that a servlet mounted at the
> root of the website (/) is able to include JSP that can *not* be
> accessed from the website.
> 
> The only way I have found so far is making a second context from the one
> the servlet is mounted in, getting a RequestDispatcher for this context
> and then forwarding. But this solution makes it possible for the users
> tio just enter the context name and access the JSP directly.
> To solve this I would need to somehow 'disable' the context for access
> from outside Tomcat.
> 
> So to make a long question short: Is there any way to include a 'hidden'
> JSP file?

You can define a security constraint for the JSP pages and only allow
access to a role that you do not assign any users to. Security
constraints
are not applied when you use a RequestDispatcher (since it's an internal
call within the application), so the effect is that no one can access
the JSP pages directly, only through your servlet.

Hans
PS. This is not a technique that's unique for Tomcat. It should work
in any Servlet 2.2 compliant container.
-- 
Hans Bergsten		hans@gefionsoftware.com
Gefion Software		http://www.gefionsoftware.com
Author of JavaServer Pages (O'Reilly), http://TheJSPBook.com