-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Cris,
On 8/16/18 1:19 PM, Berneburg, Cris J. - US wrote: > Due to security concerns and general fussiness on my part, I'd > like to prevent users from requesting JSP pages directly, except > for the login page. Why except for the login page? I would include the login page as something that should be fronted with a (non-JSP) servlet, even if that servlet doesn't do anything right now. It gives you great flexibility in the future. > I want all requests to be handled by servlets. That way I can > legitimately claim that all requests are being validated, input > scrubbed, JSP's cannot be taken advantage of w/o their servlet > chaperones being present, etc. Well... it's easy to put a servlet in front of everything that doe s*not* provide everything above, but... let's just assume that's all being competently done. > a. One way I read is by adding a <security-constraint> for each > folder. One use case is for JSP include files. That looks > possible but makes it seem like these are exceptions and not the > rule. I want "deny, deny, deny" to be the default and the one or 2 > allowable JSP pages to be the exception. This is certainly doable, but it's a lot of work, and you have to maintain those blacklists as your application grows. > b. Another way mentioned is by having most of the JSP files under > the WEB-INF folder. That way the users don't have access to the > JSP's but the servlets do. My understanding is a little wobbly > here, because I can't conceptualize the virtual path for files > under WEB-INF when sending a response. (See line of code below.) > Also, that would require moving most of the JSP files. This is the way I've always seen it done, and the way I would recommend that you do it. It *does* require that you move all your JSPs, but that's a one-time headache and it sets a precedent for the future of your project(s): put all your JSPs under /WEB-INF. You will of course also have to fix every include/forward that you have in your application to include/forward to /WEB-INF/foo.jsp instead of just /foo.jsp. Hope that helps, - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlt1yk4ACgkQHPApP6U8 pFiG5A//S7R1d3GmxX2dMDFGDwq7TM8wdwNoBLBl23ROrHbRFg+5gN/2rIQoU4Km f7wLVQxKNjVslSEss1ARcCjmP7MsxgZyL2gXcYaqV6u2EC5EgS+NIyK5PL1hgp3J 3h+RgcaJIjJoohMz2WlLYqPPVzTBuUqHjSxLx+bv0OFPIwSLcsRS2lO58sXVW6s8 r0v4wotyslAQYCC43Zc8w9o0QSYIuqO2v3V1ef/aSN0yJzMZSSyr9ldVONLr3Qg3 fC0VSqbHPf2h9Shbk7APiCm/P8pxBx2Rxz/c5LNAIpgcLjp+q+g0V8B+a1sUICT2 EEZt68pR9RQr+d48/O+HCz+R1qRtPSqxtj3mAc4jrbDGjmdSobuiqTBMe7eAsFhU ++133rHdTuCr0q7DMGSRl1v92tSX/8l8BI/BRstreXyY2fkFbUA3e1byS/7whUdO y3P7xxflwwIKUWRTteHbQ6fzOUshKW4oxQB6tkhWJKM+KKArv59vHZlBhl1d5tli GmX4jf1Ioo7Ghsw50ESc1mOXOpalm7U9NkonInRimDqegBclWXu3QMG8ze/xCF2U JAKsF0/2sUjhKtZde3MKn4xlHGkvLKGs0qONbyDfXTRx0fvvsA0Cpg+X2LH6T2OP Prbcn22i0dk+6zraaUI7UL+Kd3L6qfHSF/2wL654xFV71Yi5ggs= =k+i4 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
