-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Cris,
On 8/20/18 1:31 PM, Berneburg, Cris J. - US wrote: > Hi Mark > > Thanks for taking the time to reply. :-) > > cjb> Due to security concerns and general fussiness on my part, I'd > like cjb> to prevent users from requesting JSP pages directly > [...]. That cjb> way I can legitimately claim that all requests > are being validated, cjb> input scrubbed, JSP's cannot be taken > advantage of w/o their cjb> servlet chaperones being present, etc. > > mt> I'm struggling to understand what risks exists with JSPs that > don't mt> with Servlets. After all, a JSP is just an alternative > way to write mt> a Servlet. Tomcat translates the .jsp file to the > .java source for a mt> servlet, compiles it and runs it. mt> Can > you elaborate? > > See Chris Shultz's reply about MVC. He pretty much nailed it. > > For me, it's a twofold combination of (a) security concerns and (b) > separation of responsibilities. > > a. Security - shrink the attack surface. It's worth pointing-out that what's shrinking is the attack surface *of the application*, not necessarily of JSP (as a technology) itself. While I agree 100% with (a), here, it's not because there is anything inherently risky about JSPs. It's that most people end up writing really awful JSPs that are full of holes. > b. Separation of duties - I want the JSP's to simply render pages > and the non-JSP servlets to do all the heavy lifting. This item (b) allows you to more effectively achieve (a) IMHO. Also, "separation of concerns" allows you to focus on one task in one piece of code, instead of having a JSP that needs to enforce security, sanitize inputs, query a database, manage the result set, etc. all while providing error-handling, etc. Anything that makes code more maintainable is a big +1 in my book. One of the ways I have kept my code as maintainable as possible is by not using JSPs :) - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlt8QVIACgkQHPApP6U8 pFjgbA/6A74ruIlQ02cuGmRBegk4zqyUEKaEWJCJEC8SvudvUgHAiRhOnnR2Yscr RWK0wQYzpAxd37/Us1D1jQeWkG4QjCXKNLxOkPMpOE/Qb9922XhLyn3aDI4wzjdi RYkiR/KD4sbsbqwsBKLcFxoK/72goqNHGBYBMgNVrnmy3fp0bmavgW+gBXvH3Ucs zMqJz5oTGeevBYrfnvUqqLhYQ7M5Vl3YhBXgDjXW+4HWL2shF4rFgpxrRfJg93tm UsKMVRPatbKsRqdDS5nuI0CreYAsV2mybcrf8aGiNKrokLOZJlCZluC5lc4n5Nlw DFEFUpzFnoxFo8bV2gHnAJL8EfbhOI/i/5kty3AmBwUsioTjf1XPJFPrNGOXOojJ W0e/3cecsOJHyNsJozH/D2pSyT/XLhCWjwsBAl+h3sDVLX7hpXIrmNZm98u5kGWw UvYjgiGRNbJOPsonlZcgRzRecZfELAU48z9fbHrhsScWQiJvJbHrDhMc9XfXlvjv bcgLvu54ubDuMFMozTPGlA70HSmUk/FnMmWKd/238UVD8Xmx/xjVqp4hYRXtj6ap UvPgisG6Ly/noRCkhKTILLvpcRPl3SJcNVuNYYj2WItbV1xEl3T4wifg3BRxynXl opuFeT+5+h0kEsNuaD89kFiK0e4W/rrSNvEzMS1PEuH7lAM09h0= =2PQp -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
