RE: Programmatic security with servlet mappings in tomcat

["Hughes, Tim" <ti...@cgey.com>]

Hi,

(Tomcat 3.2.1, windows 2000, JdK1.3.1)

I want to use a Request Controller architecture for a webapp (i.e. one JSP
that receives all requests and then dispatches the requests to other JSPs
for servicing of the request). Of course I want to ensure that these
"servicing" JSPs are not accessible without passing through the controller
jsp. Is a secure solution to this problem to use a servlet mapping of the
following form in web.xml:

<web-app>

<servlet>
<servlet-name>controller</servlet-name>
<jsp-file>controller.jsp</jsp-file>
</servlet>


<servlet-mapping>
<servlet-name>controller</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>

</web-app>


And to include in Controller.jsp a session bean for each user to check
whether they have logged on to the site before forwarding their request to
the "servicing" JSP.

I have tried this out "empirically" myself and it seems to work but I would
quite like a "theoretical" confirmation that this is secure and that this
solution makes is impossible for a malicious user to get access to the
"servicing" JSPs (without passing through Controller.jsp which will force a
logon).

Thanks.

Tim.



This message contains information that may be privileged or confidential and is the property of the Cap Gemini Ernst & Young Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.