yes it will not show the directory listing. but how now a user has to guess ur jsp name and its folder location which i think is difficult. And keeping the jsps inside WEB-INF will make the coder to add the WEB-INF before the page location. :(
Regards, --------------------------------------------------------- Girish Naik Mobile:-+91-09740091638 girish.n...@gmail.com George Carlin<http://www.brainyquote.com/quotes/authors/g/george_carlin.html> - "Electricity is really just organized lightning." On Thu, Jun 18, 2009 at 8:45 PM, Jan T. Kim <j....@uea.ac.uk> wrote: > On Thu, Jun 18, 2009 at 07:47:45PM +0530, Girish Naik wrote: > > Go to Tomcat Home/conf/web.xml file. in this file put listings as false. > > <init-param> > > <param-name>listings</param-name> > > <param-value>false</param-value> > > </init-param> > > > > Regards, > > --------------------------------------------------------- > > Girish Naik > > doesn't that still allow access by direct URL to the JSP? I think > it disables directory listings only. > > Anyway, perhaps the easiest solution is to put such JSPs in a subdirectory > of WEB-INF. The web container must not expose that hierarchy via HTTP > (see servlet spec, section 9.5). I like to keep my JSPs in /WEB-INF/views . > > Best regards, Jan > > > Mobile:-+91-09740091638 > > girish.n...@gmail.com > > Rodney Dangerfield< > http://www.brainyquote.com/quotes/authors/r/rodney_dangerfield.html> > > - "What a dog I got, his favorite bone is in my arm." > > > > On Thu, Jun 18, 2009 at 7:11 PM, Greg Lindholm <greg.lindh...@gmail.com > >wrote: > > > > > We put all our jsp file into a /struts/ folder then add the following > > > security contraint to web.xml > > > > > > > > > <security-constraint> > > > <display-name>Prevent access to raw pages.</display-name> > > > <web-resource-collection> > > > <web-resource-name>Raw Pages</web-resource-name> > > > <url-pattern>/struts/*</url-pattern> > > > </web-resource-collection> > > > <auth-constraint> > > > <description>No roles, so no direct access</description> > > > </auth-constraint> > > > </security-constraint> > > > > > > > > > On Thu, Jun 18, 2009 at 9:32 AM, abhishek reddy < > abhishek.c1...@gmail.com > > > >wrote: > > > > > > > how to prevent users from directly accessing jsp files, rather they > have > > > to > > > > come thru sturts action? > > > > > > > > -- > > > > Abhishek > > > > > > > > > -- > +- Jan T. Kim -------------------------------------------------------+ > | email: j....@uea.ac.uk | > | WWW: http://www.cmp.uea.ac.uk/people/jtk | > *-----=< hierarchical systems are for files, not for humans >=-----* > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
