I'll be curious to see the answers. JSPs are servlets.
For us, the common way would be for your non-JSP servlets to authenticate the request (and save the results in the request), and then your JSPs can check if the request has been authenticated before progressing further. Of course, if it's just a login check, you can save the results of the authentication in the session, and when missing, redirect to your login.
On 8/16/18 10:19 AM, Berneburg, Cris J. - US wrote:
Due to security concerns and general fussiness on my part, I'd like to prevent users from requesting JSP pages directly, except for the login page. I want all requests to be handled by servlets. That way I can legitimately claim that all requests are being validated, input scrubbed, JSP's cannot be taken advantage of w/o their servlet chaperones being present, etc. a. One way I read is by adding a <security-constraint> for each folder. One use case is for JSP include files. That looks possible but makes it seem like these are exceptions and not the rule. I want "deny, deny, deny" to be the default and the one or 2 allowable JSP pages to be the exception. b. Another way mentioned is by having most of the JSP files under the WEB-INF folder. That way the users don't have access to the JSP's but the servlets do. My understanding is a little wobbly here, because I can't conceptualize the virtual path for files under WEB-INF when sending a response. (See line of code below.) Also, that would require moving most of the JSP files.request.getRequestDispatcher("folder/file.jsp"); // what about WEB-INF?Is there a "smart" way of doing this? Perhaps it would have been prudent to organize the JSP folders "properly" in the first place, but we're way beyond that now. Got any comments, suggestions, advice? Thanks. :-) -- Cris Berneburg CACI Lead Software Engineer
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
