Re: How to prevent JSP files from being publicly directly accessible?

2010-02-17 Thread Lukasz Lenart
2010/2/18 Cimballi : > The default pattern is to put all JSPs under WEB-INF and so you force > the call to an action to access them. As I know, it works only under Tomcat - it isn't standard. Better solution is to use security constraint section in web.xml Access to JSP files JSP *.j

Re: How to prevent JSP files from being publicly directly accessible?

2010-02-17 Thread Cimballi
The default pattern is to put all JSPs under WEB-INF and so you force the call to an action to access them. Cimballi On Wed, Feb 17, 2010 at 7:46 PM, Wong Chin Shin wrote: > Hi, > > I've had a pen test finding where our JSP files, which are in the public > directories of our web app can be open

How to prevent JSP files from being publicly directly accessible?

2010-02-17 Thread Wong Chin Shin
Hi, I've had a pen test finding where our JSP files, which are in the public directories of our web app can be opened directly as long as the user knows the name of the JSP file. This is a site where a login is mandatory to access any content. Struts actions are already protected where the action

RE: [Q] JavaTemplate Plugin

2010-02-17 Thread Hoying, Ken
Issue registered: https://issues.apache.org/jira/browse/WW-3386 -Original Message- From: Lukasz Lenart [mailto:lukasz.len...@googlemail.com] Sent: Wednesday, February 17, 2010 11:44 AM To: Struts Users Mailing List Subject: Re: [Q] JavaTemplate Plugin 2010/2/17 Hoying, Ken : > This end

Re: [Q] JavaTemplate Plugin

2010-02-17 Thread Lukasz Lenart
2010/2/17 Hoying, Ken : > This ended up being a little tougher to accomplish than I had expected. > > I tried to override the TemplateEngineManager by specifying the bean in my > struts.xml file.  However, struts did not like that there was one already > loaded from the struts-default.xml. > > So

RE: [Q] JavaTemplate Plugin

2010-02-17 Thread Hoying, Ken
This ended up being a little tougher to accomplish than I had expected. I tried to override the TemplateEngineManager by specifying the bean in my struts.xml file. However, struts did not like that there was one already loaded from the struts-default.xml. So I created a copy of the struts-defa