struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Takfung Chan <davidcha...@comcast.net>
Subject Re: RE: block direct access to JSP files
Date Thu, 19 Jun 2003 19:39:42 GMT
I tried this within my WSAD 4.0.3 test environment, it doesn't work, no 
any effect to any jsp files.

I don't know if I need to configure my WSAD but I thought this is a 
normal J2EE standard, which is not true in WSAD.

David

----- Original Message -----
From: "Pingili, Madhupal" <MPingili@BBandT.com>
Date: Thursday, June 19, 2003 1:55 pm
Subject: RE: block direct access to JSP files

> Hi,
> I found a thread related to this: subject: Protecting JSPs using
> security-constraint
> Basically, the solution suggested was:
> <security-constraint>
>        	<web-resource-collection>
>                	<web-resource-name>SecureAllJSPs</web-resource-
name>
>                	<url-pattern>*.jsp</url-pattern>
>        	</web-resource-collection>
>        	<auth-constraint>
>                	<role-name>nobody</role-name>
>        	
> 	</security-constraint>
> 
> 	<security-role>
>        	<role-name>nobody</role-name>
>    </security-role>
> 
> or 	<security-role>
>        	<role-name>*</role-name>
>    </security-role>
> 
> Thanks to David Graham and Mick Knutson
> 
> Regards,
> Reddy
> 
> 
> > -----Original Message-----
> > From:	Emmanuel Feller [SMTP:Emmanuel.Feller@free.fr]
> > Sent:	Thursday, June 19, 2003 1:43 PM
> > To:	Struts Users Mailing List; davidchan@gscg.net
> > Subject:	Re: block direct access to JSP files
> > 
> > Hi,
> > 
> > You may put all your jsp under the WEB-INF directory, so
> > they are not available for user. But the application still
> > work, because all navigation is done by the struts
> > controler. It is simple and work fine with all app server.
> > 
> > You must change your struts-config.xml to reflect the
> > changes of target for all your forward. It should be done by
> > find/replace ...
> > 
> > Regards,
> > Emmanuel
> > ----- Message d'origine -----
> > De : "Takfung Chan" <davidchantf@comcast.net>
> > À : "Struts Users Mailing List"
> > <struts-user@jakarta.apache.org>
> > Envoyé : jeudi 19 juin 2003 18:10
> > Objet : block direct access to JSP files
> > 
> > 
> > > Hi,
> > >  I have a Struts based application and would like to block
> > all direct
> > > access to JSP files by user, so if a user typing a URL
> > point to a JSP
> > > file directly, it will fail. I did a change to web.xml but
> > not working
> > > on Websphere 4.0.3 (I should post to websphere news group
> > but I hope
> > > some one here already did the same thing)
> > >  here is my web.xml config relate to this web resource
> > protection, It
> > > works fine on tomcat, but never in Websphere, any idea?
> > >
> > > <security-constraint>
> > >   <web-resource-collection>
> > >   <web-resource-name>blockJSPDirectAccess</web-resource-
> > > name>
> > >   <description>to block JSP direct access</description>
> > >   <url-pattern>*.jsp</url-pattern>
> > >   </web-resource-collection>
> > >   <auth-constraint>
> > >   <description></description>
> > >   <role-name></role-name>
> > >   
> > >   </security-constraint>
> > >
> > >
> > >
> > >
> > > ----------------------------------------------------------
> > -----------
> > > To unsubscribe, e-mail:
> > struts-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail:
> > struts-user-help@jakarta.apache.org
> > >
> > >
> > 
> > 
> > 
> > -----------------------------------------------------------------
> ----
> > To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: struts-user-help@jakarta.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org


Mime
View raw message