There's another considerable option:
c. Implement a servlet filter which is mapped to /* with dispatcher
options: REQUEST, INCLUDE, FORWARD. The filter may check the request
URI or include/forward URI (through request attributes).
Regards,
Woonsan
On Thu, Aug 16, 2018 at 1:19 PM, Berneburg, Cris J. - US
<cberneb...@caci.com> wrote:
> Due to security concerns and general fussiness on my part, I'd like to
> prevent users from requesting JSP pages directly, except for the login page.
> I want all requests to be handled by servlets. That way I can legitimately
> claim that all requests are being validated, input scrubbed, JSP's cannot be
> taken advantage of w/o their servlet chaperones being present, etc.
>
> a. One way I read is by adding a <security-constraint> for each folder. One
> use case is for JSP include files. That looks possible but makes it seem
> like these are exceptions and not the rule. I want "deny, deny, deny" to be
> the default and the one or 2 allowable JSP pages to be the exception.
>
> b. Another way mentioned is by having most of the JSP files under the WEB-INF
> folder. That way the users don't have access to the JSP's but the servlets
> do. My understanding is a little wobbly here, because I can't conceptualize
> the virtual path for files under WEB-INF when sending a response. (See line
> of code below.) Also, that would require moving most of the JSP files.
>
>> request.getRequestDispatcher("folder/file.jsp"); // what about WEB-INF?
>
> Is there a "smart" way of doing this? Perhaps it would have been prudent to
> organize the JSP folders "properly" in the first place, but we're way beyond
> that now.
>
> Got any comments, suggestions, advice?
>
> Thanks. :-)
>
> --
> Cris Berneburg
> CACI Lead Software Engineer
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
