velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Dekany <ddek...@freemail.hu>
Subject Re: Disable direct acces to vm's when using velocity + struts +tiles
Date Tue, 04 Jan 2005 05:26:36 GMT
But sometimes it's better for the designers if the template files are
stored together with the static files, that is, in the same directories.
It's just easier to understand for them, and it's more logical anyway,
at least after using JSP-s, PHP-s, ASP-s, etc. In that case, I found
that the safest is to map a special servlet to the the template
extension in the web.xml, which always responds HTTP error 403
(forbidden):

  <servlet>
    <servlet-name>forbidTemplateAccess</servlet-name>
    <servlet-class>ddekany.web.ForbiddenServlet</servlet-class>
    <init-param>
      <param-name>message</param-name>
      <param-value>You can't access the view templates directly.</param-value>
    </init-param>
  </servlet>

  ...
  
  <servlet-mapping>
    <servlet-name>forbidTemplateAccess</servlet-name>
    <url-pattern>*.ftl</url-pattern>
  </servlet-mapping>

It assumes that the "view servlet" is not associated with the template
extension, that is, the controller servlet doesn't forward the requests
to the address of the templates... I don't know what approach does your
system use. But anyway, if the MVC architecture relies on forwarding the
request to the templates, then there is still no problem: you can use
the access control features described in the servlet spec (web.xml
again), because they are applied only against non-forwarded requests.
  
Monday, January 3, 2005, 9:25:46 PM, Will Glass-Husain wrote:

> If you are using Apache as a front-end to Tomcat, you can do all kinds of
> great things to control access and/or rewrite URLS.
>
> Here's a simple example:
> (note wildcards will also work).
>
> <Directory /home/httpd/vhosts/www/httpdocs/templates>
>    deny from all
>    AllowOverride None
> </Directory>
>
> WILL
>
> ----- Original Message ----- 
> From: "Mike Kienenberger" <mkienenb@alaska.net>
> To: "Velocity Users List" <velocity-user@jakarta.apache.org>
> Cc: "Velocity Users List" <velocity-user@jakarta.apache.org>
> Sent: Monday, January 03, 2005 12:18 PM
> Subject: Re: Disable direct acces to vm's when using velocity + struts
> +tiles
>
>
>> Matt Higgins <mhiggins@bluesocket.com> wrote:
>>> Is it possible to disable direct access to vm files ? When using
>>> velocity and tiles, the user never sees the .vm but if you know the
>>> correct url you could access
>>>
>>> /myapp/pages/foo/template.vm
>>>
>>> This would render a bogus pages as it did not go through the tiles
>>> processor or any of my struts actions.
>>
>> I think that anything you put into WEB-INF is no longer directly 
>> accessible.
>>
>> My velocity templates are in ./WEB-INF/pages and other such 
>> subdirectories.
>>
>> -Mike
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail:
>> velocity-user-help@jakarta.apache.org
>> 
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: velocity-user-help@jakarta.apache.org
>


-- 
Best regards,
 Daniel Dekany


____________________________________________________________________
Miert fizetsz az internetert? Korlatlan, ingyenes internet hozzaferes a FreeStarttol.
Probald ki most! http://www.freestart.hu

---------------------------------------------------------------------
To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: velocity-user-help@jakarta.apache.org


Mime
View raw message