On 16/08/18 18:19, Berneburg, Cris J. - US wrote: > Due to security concerns and general fussiness on my part, I'd like to > prevent users from requesting JSP pages directly, except for the login page. > I want all requests to be handled by servlets. That way I can legitimately > claim that all requests are being validated, input scrubbed, JSP's cannot be > taken advantage of w/o their servlet chaperones being present, etc.
I'm struggling to understand what risks exists with JSPs that don't with Servlets. After all, a JSP is just an alternative way to write a Servlet. Tomcat translates the .jsp file to the .java source for a servlet, compiles it and runs it. Can you elaborate? Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
