You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@struts.apache.org by lu...@apache.org on 2014/03/06 22:36:12 UTC

[02/20] git commit: Adds security constraints to block access to jsp files

Adds security constraints to block access to jsp files


Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/6f43464f
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/6f43464f
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/6f43464f

Branch: refs/heads/develop
Commit: 6f43464fcaab59e7345a3e394db4a969cf410d15
Parents: 6b00db2
Author: Lukasz Lenart <lu...@apache.org>
Authored: Tue Feb 25 10:57:21 2014 +0100
Committer: Lukasz Lenart <lu...@apache.org>
Committed: Tue Feb 25 10:57:21 2014 +0100

----------------------------------------------------------------------
 .../jboss-blank/src/main/webapp/WEB-INF/web.xml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/struts/blob/6f43464f/apps/jboss-blank/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/apps/jboss-blank/src/main/webapp/WEB-INF/web.xml b/apps/jboss-blank/src/main/webapp/WEB-INF/web.xml
index 4902479..88c6fc8 100644
--- a/apps/jboss-blank/src/main/webapp/WEB-INF/web.xml
+++ b/apps/jboss-blank/src/main/webapp/WEB-INF/web.xml
@@ -17,4 +17,24 @@
         <welcome-file>index.html</welcome-file>
     </welcome-file-list>
 
+    <!-- Restricts access to pure JSP files - access available only via Struts action -->
+    <security-constraint>
+        <display-name>No direct JSP access</display-name>
+        <web-resource-collection>
+            <web-resource-name>No-JSP</web-resource-name>
+            <url-pattern>*.jsp</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>no-users</role-name>
+        </auth-constraint>
+        <user-data-constraint>
+            <transport-guarantee>NONE</transport-guarantee>
+        </user-data-constraint>
+    </security-constraint>
+    
+    <security-role>
+        <description>Don't assign users to this role</description>
+        <role-name>no-users</role-name>
+    </security-role>
+
 </web-app>