You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@struts.apache.org by de...@struts.apache.org on 2005/01/01 19:05:32 UTC

[Apache Struts Wiki] Updated: StrutsCatalogHidingPagesUnderWEBINF

   Date: 2005-01-01T10:05:31
   Editor: DavidKarr
   Wiki: Apache Struts Wiki
   Page: StrutsCatalogHidingPagesUnderWEBINF
   URL: http://wiki.apache.org/struts/StrutsCatalogHidingPagesUnderWEBINF

   no comment

Change Log:

------------------------------------------------------------------------------
@@ -19,3 +19,11 @@
 I personally prefer to use filter for hiding pages. I set filter to return 404 on every request for *.jsp page. I can also change filter to allow for example only index.jsp to pass, but all other pages to be unavailable. This is IMHO better than relying on container implementation.
 
 -- IvanRekovic
+
+----
+
+Another option for disallowing access to JSPs is simply to add a security-constraint for the  role "nobody" for "*.jsp".  Unfortunately, it appears you have to add one "url-pattern" element for every subdirectory.  I don't believe there's any way to specify something like "**/*.jsp", as in Ant.
+
+You can even disallow access to JSPs in the root of the app, like "index.jsp".  You might think this makes it impossible to have a welcome page. However, one "trick" that I believe should work in all containers is to set your welcome file to "index.do", create a file called "index.do" in the root (contents are irrelevant), and create an action-mapping for "/index.do".  This works because the servlet specification states that the named welcome file needs to exist, but then it hands the URL to the container to serve, which handles it just like any other URL.
+
+-- DavidKarr

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org