You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2014/03/06 22:36:12 UTC
[02/20] git commit: Adds security constraints to block access to jsp
files
Adds security constraints to block access to jsp files
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/6f43464f
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/6f43464f
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/6f43464f
Branch: refs/heads/develop
Commit: 6f43464fcaab59e7345a3e394db4a969cf410d15
Parents: 6b00db2
Author: Lukasz Lenart <lu...@apache.org>
Authored: Tue Feb 25 10:57:21 2014 +0100
Committer: Lukasz Lenart <lu...@apache.org>
Committed: Tue Feb 25 10:57:21 2014 +0100
----------------------------------------------------------------------
.../jboss-blank/src/main/webapp/WEB-INF/web.xml | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts/blob/6f43464f/apps/jboss-blank/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/apps/jboss-blank/src/main/webapp/WEB-INF/web.xml b/apps/jboss-blank/src/main/webapp/WEB-INF/web.xml
index 4902479..88c6fc8 100644
--- a/apps/jboss-blank/src/main/webapp/WEB-INF/web.xml
+++ b/apps/jboss-blank/src/main/webapp/WEB-INF/web.xml
@@ -17,4 +17,24 @@
<welcome-file>index.html</welcome-file>
</welcome-file-list>
+ <!-- Restricts access to pure JSP files - access available only via Struts action -->
+ <security-constraint>
+ <display-name>No direct JSP access</display-name>
+ <web-resource-collection>
+ <web-resource-name>No-JSP</web-resource-name>
+ <url-pattern>*.jsp</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>no-users</role-name>
+ </auth-constraint>
+ <user-data-constraint>
+ <transport-guarantee>NONE</transport-guarantee>
+ </user-data-constraint>
+ </security-constraint>
+
+ <security-role>
+ <description>Don't assign users to this role</description>
+ <role-name>no-users</role-name>
+ </security-role>
+
</web-app>