You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by Neil Aggarwal <ne...@JAMMConsulting.com> on 2005/07/14 21:48:12 UTC

Security constraint not working

Hello:

According to this page:
http://www.javaworld.com/javaworld/jw-09-2004/jw-0913-struts.html

In order to prevent people of accessing jsp pages directly
without using my struts controller, I added this to my web.xml:

  <!-- Do not allow users to load jsps directly -->
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>no_access</web-resource-name>
      <url-pattern>*.jsp</url-pattern>
    </web-resource-collection>
  </security-constraint>

I added it and I can still load a page with the url
to the jsp.  Here is an example:

http://dev.rentclubs.com/rentclubs/howWeStarted.jsp

Any ideas?

Thanks,
	Neil

--
Neil Aggarwal, JAMM Consulting, (214) 986-3533, www.JAMMConsulting.com
FREE! Valuable info on how your business can reduce operating costs by
17% or more in 6 months or less! http://newsletter.JAMMConsulting.com


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Security constraint not working

Posted by Bart Frackiewicz <bf...@open-medium.com>.

perhaps you need at least one <auth-constraint> with a given role - or 
you leave it empty (look into the example, there is a <auth-constraint/> 
before </security-constraint>).

Neil Aggarwal schrieb:
> Hello:
> 
> 
>   <!-- Do not allow users to load jsps directly -->
>   <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>no_access</web-resource-name>
>       <url-pattern>*.jsp</url-pattern>
>     </web-resource-collection>
>   </security-constraint>
> 

my example:

   <security-constraint>
   	<!-- normal area -->
     <web-resource-collection>
       <web-resource-name>BOS Airliquide Deutschland</web-resource-name>
       <url-pattern>*.do</url-pattern>
       <!-- <url-pattern>*.do</url-pattern> -->
     </web-resource-collection>
     <auth-constraint>
         <role-name>BO</role-name>
     </auth-constraint>
   </security-constraint>
   <security-role>
	<role-name>BO</role-name>
   </security-role>

Bart

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org