You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Tim Coultas <tc...@helper.com> on 2001/04/18 00:38:42 UTC
Hiding JSPs from Public Access!?!?!
Folks -
I have run into the common problem where visitors can get at my jsp files
even though I have set up log-in system of security using a central "traffic
circle" servlet that forwards users to jsp pages.
I have the servlets residing in a directory named jsp under the main context
directory.
However, a visitor can get the jsp pages by going to:
http://www.website.com/context/jsp/filename.jsp
I have tried to cut off access by placing this directory in the WEB-INF
directory, but I can still get to it at the URL above. Also, I have tried
to just dump all of the .jsp's into the WEB-INF directory (and not place
them in a sub-directory) and I can STILL get to them by at the URL above.
I have also tried to edit the web.xml security section by entering something
like "<url-pattern>/jsp/*</url-pattern>" and
"<url-pattern>/jsp/filename.jsp</url-pattern>" but this does not have any
effect.
How the heck do I do this?????
Has anyone been able to do it?????????
Thanks.
Tim Coultas