-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 8/17/18 3:54 AM, Mark Thomas wrote: > On 16/08/18 18:19, Berneburg, Cris J. - US wrote: >> Due to security concerns and general fussiness on my part, I'd >> like to prevent users from requesting JSP pages directly, except >> for the login page. I want all requests to be handled by >> servlets. That way I can legitimately claim that all requests >> are being validated, input scrubbed, JSP's cannot be taken >> advantage of w/o their servlet chaperones being present, etc. > > I'm struggling to understand what risks exists with JSPs that don't > with Servlets. After all, a JSP is just an alternative way to write > a Servlet. Tomcat translates the .jsp file to the .java source for > a servlet, compiles it and runs it. > > Can you elaborate? JSP support for input validation, etc. is basically non-existent. I'm sure someone has a crappy library that can do it, and yes, you can implement everything in JSP using miles of tag libraries and stuff like that, but in the application world, that's a serious no-no. MVC (or some version of it, under various names) is the "proper" way to build software, and JSPs are relegated to the "V" portion of that paradigm. Once you have decided that JSPs are squarely in the "V" category, it's no longer appropriate for them to be treated as "C" components and therefore they should not be accessed directly. Protecting them from direct-access is a reasonable decision for a number of reasons, including security if you have pages that cough-up sensitive information under the assumption that authentication and authorization requirements have previously been satisfied. Sure, the container's authentication and authorization should be able to protect those JSPs just fine, but the application may have other controls in place that also need to sanity-check things before the JSP takes over. So, while there isn't anything particularly "dangerous" about direct-access to JSPs, there are a number of "best practices" that suggest that hiding them is a good idea. I hope that helps explain Cris's (likely) reasoning a little more. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlt20yEACgkQHPApP6U8 pFj6uxAAxyAHmZgiPBNFXRQvbfmr7Su7WKfXeIuu2/VNdWluUBjmxqnNCbO7dgyh F/emljDwMhU+PG/5Q8CDyi7+owPcRL0ix5l0ywQ+cm+nJk1YsohN52INUJ9uod4F Uo+/Lty1/sro2coJYtDCeXTJzocgagSdef5Uw3jYnL64Zeaa1D/FwOffcGNbAG9g mHY07JN3AsDDM3+ehNCK/MKSe+CYK+MSWPhb+ALYKXkRfhltWJu1ojNo5O4jy4SS G1w2ZZaSZ1ISb52VXbN0+MOsHquNNFrm1UH7fDrrSazwSNMq998qeuUPzdljtEVa aM8H4Zf3ERLUbEXIL4pbhd1wU7hkjdSzTzxvQlqyI1F1dtmHV9t3F0YITdCaFmfU lepJhrHq6NHwt9peHs1DCSsb72kOv3bAR7F/rHVZNi3I0PL+MsxkoGgMQt74Xi1a du9gHdsWMLIs0ZouLjAFVRLihbqKKXvZ7ATzgrFmFPNR3yIoIZn+iLT8LqiNqMBq NsTQnktWTYKCs7uE7HUOyYwoqLOnEmjMqG9wjhTAETPQzp2PP3v2RJKfjI5WHMN8 H8PohSj7SxYxN5KWFR/JmO7eksetVVLw0q+NvuDj6L8grhBatVskIWV3FpFPzyI1 Qd2QxabNjNBgH+CXP57q7iYtYAdxkIOlH2q2JnkFbP1S1aWKWXY= =DEMc -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
