On Mon, Aug 20, 2018 at 1:19 PM, Berneburg, Cris J. - US <cberneb...@caci.com> wrote: > Hi Woonsan > > Thanks for providing an "option C". :-) There is still much for me to learn. You're welcome. :-)
> > cjb> Due to security concerns and general fussiness on my part, I'd like > cjb> to prevent users from requesting JSP pages directly [...]. That > cjb> way I can legitimately claim that all requests are being validated, > cjb> input scrubbed, JSP's cannot be taken advantage of w/o their > cjb> servlet chaperones being present, etc. > > cjb> a. [...] adding a <security-constraint> for each folder. > > cjb> b. [...] JSP files under the WEB-INF folder. > > wk> c. Implement a servlet filter which is mapped to /* with dispatcher > wk> options: REQUEST, INCLUDE, FORWARD. The filter may check the request > wk> URI or include/forward URI (through request attributes). > > While I have a general idea of what you mean, I don't know how to implement > that. Is that a standard practice? I think the option uses standards and doesn't depart from standard practices. The chapter 6 of the servlet spec [1] describes what Filter is, when/how it can be used, its lifecycle, etc. Dispatcher options are explained in 6.2.5. Your servlet filter implementation may be invoked as pre-processing component before other resources or servlets. When .jsp is accessed directly, your filter may be invoked as REQUEST dispatcher option (the default unless configured manually), you can check the resource path info through HttpRequestServlet#getRequestURI(). e.g, /examples/hello.jsp. If you want to check the cases where the JSP is included or forwarded through RequestDispatcher, you may check servlet request attributes described in the section 9.3.1 (for inclusion) or 9.4.2 (for forwarding). So, you might want to check include/forward path first and find requestURI afterward to check everything and modify the response as a result. For example, you can choose to send a 4xx response if the condition doesn't meet your requirement. All of those are based on servlet standards. HTH, Woonsan [1] https://javaee.github.io/servlet-spec/downloads/servlet-3.1/Final/servlet-3_1-final.pdf > > -- > Cris Berneburg > CACI Lead Software Engineer > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
