Hi Woonsan cjb> I'd like to prevent users from requesting JSP pages directly
cjb> a. [...] adding a <security-constraint> for each folder. cjb> b. [...] JSP files under the WEB-INF folder. wk> c. Implement a servlet filter which is mapped to /* with wk> dispatcher options: REQUEST, INCLUDE, FORWARD. The filter may wk> check the request URI or include/forward URI (through request wk> attributes). wk> The chapter 6 of the servlet spec [1] describes what Filter is, wk> when/how it can be used, its lifecycle, etc. Dispatcher options wk> are explained in 6.2.5. Your servlet filter implementation may wk> be invoked as pre-processing component before other resources wk> or servlets. When .jsp is accessed directly, your filter may wk> be invoked as REQUEST dispatcher option (the default unless wk> configured manually), you can check the resource path info wk> through HttpRequestServlet#getRequestURI(). e.g, wk> /examples/hello.jsp. If you want to check the cases where the wk> JSP is included or forwarded through RequestDispatcher, you may wk> check servlet request attributes described in the section 9.3.1 wk> (for inclusion) or 9.4.2 (for forwarding). So, you might want to wk> check include/forward path first and find requestURI afterward wk> to check everything and modify the response as a result. For wk> example, you can choose to send a 4xx response if the condition wk> doesn't meet your requirement. All of those are based on wk> servlet standards. I'm afraid this is a bit more advanced than where I currently am ATM and possibly what my project requires. Also, I am reminded of the textbook phrase, "the rest is left as an exercise to the reader". :-) Or a presenter... -- Cris Berneburg CACI Lead Software Engineer
