struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pingili, Madhupal" <MPing...@BBandT.com>
Subject RE: block direct access to JSP files
Date Thu, 19 Jun 2003 17:55:42 GMT
Hi,
I found a thread related to this: subject: Protecting JSPs using
security-constraint
Basically, the solution suggested was:
<security-constraint>
		<web-resource-collection>
			<web-resource-name>SecureAllJSPs</web-resource-name>
			<url-pattern>*.jsp</url-pattern>
		</web-resource-collection>
		<auth-constraint>
			<role-name>nobody</role-name>
		</auth-constraint>
	</security-constraint>

	<security-role>
		<role-name>nobody</role-name>
    </security-role>

or 	<security-role>
		<role-name>*</role-name>
    </security-role>

Thanks to David Graham and Mick Knutson

Regards,
Reddy


> -----Original Message-----
> From:	Emmanuel Feller [SMTP:Emmanuel.Feller@free.fr]
> Sent:	Thursday, June 19, 2003 1:43 PM
> To:	Struts Users Mailing List; davidchan@gscg.net
> Subject:	Re: block direct access to JSP files
> 
> Hi,
> 
> You may put all your jsp under the WEB-INF directory, so
> they are not available for user. But the application still
> work, because all navigation is done by the struts
> controler. It is simple and work fine with all app server.
> 
> You must change your struts-config.xml to reflect the
> changes of target for all your forward. It should be done by
> find/replace ...
> 
> Regards,
> Emmanuel
> ----- Message d'origine -----
> De : "Takfung Chan" <davidchantf@comcast.net>
> À : "Struts Users Mailing List"
> <struts-user@jakarta.apache.org>
> Envoyé : jeudi 19 juin 2003 18:10
> Objet : block direct access to JSP files
> 
> 
> > Hi,
> >  I have a Struts based application and would like to block
> all direct
> > access to JSP files by user, so if a user typing a URL
> point to a JSP
> > file directly, it will fail. I did a change to web.xml but
> not working
> > on Websphere 4.0.3 (I should post to websphere news group
> but I hope
> > some one here already did the same thing)
> >  here is my web.xml config relate to this web resource
> protection, It
> > works fine on tomcat, but never in Websphere, any idea?
> >
> > <security-constraint>
> >   <web-resource-collection>
> >   <web-resource-name>blockJSPDirectAccess</web-resource-
> > name>
> >   <description>to block JSP direct access</description>
> >   <url-pattern>*.jsp</url-pattern>
> >   </web-resource-collection>
> >   <auth-constraint>
> >   <description></description>
> >   <role-name></role-name>
> >   </auth-constraint>
> >   </security-constraint>
> >
> >
> >
> >
> > ----------------------------------------------------------
> -----------
> > To unsubscribe, e-mail:
> struts-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail:
> struts-user-help@jakarta.apache.org
> >
> >
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org


Mime
View raw message