Take a look at http://wiki.apache.org/struts/StrutsCatalogHidingPagesUnderWEBINF for one of the more common approaches taken for this problem.
On Fri, 28 Jan 2005 19:09:46 +0000, Tim Christopher <[EMAIL PROTECTED]> wrote: > Hi, > > I would like to block direct access to jsp files, and from what I've > read the best practice appears to be setting a security-constraint > within the web.xml file. (As opposed to storing all *.jsp files > within the WEB-INF folder, though please correct me if that's wrong). > > I've currently tried using the following code to block *.jsp access: > > <security-constraint> > <web-resource-collection> > <web-resource-name>no_access</web-resource-name> > <url-pattern>/pages/*</url-pattern> > </web-resource-collection> > </security-constraint> > > ... The effect of this code appears to be nothing, as I can still > gain acess to the jsp files stored within /pages/common/header.jsp for > example. > > I have tried changing the url-pattern to "pages/*" (removing the > initial / character), though this blocks access to the entire web > module. > > Any help / feedback appreciated. > > Tim Christopher > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
