another, cheaper, option, is to put your files under WEB-INF and put a filter into webapp which denies all requests to a jsp if its not under WEB-INF. And of course deny all requests to upload something into WEB-INF. regards Leon.
On 1/23/07, Caldarale, Charles R <[EMAIL PROTECTED]> wrote:
> From: Christopher Schultz [mailto:[EMAIL PROTECTED] > Subject: Re: tomcat Webapp security. > > <servlet-mapping> > <servlet-name>jsp</servlet-name> > <url-pattern>*.jsp</url-pattern> > </servlet-mapping> > <servlet-mapping> > <servlet-name>jsp</servlet-name> > <url-pattern>*.jspx</url-pattern> > </servlet-mapping> > (Not sure why this mapping is in there twice, but whatever...) They are different mappings; using *.jsp* for the <url-pattern> may get files that are not complete JSPs. > So, try something like this: > <servlet-mapping> > <servlet-name>default</servlet-name> > <url-pattern>/treat-as-static/*</url-pattern> > </servlet-mapping> IIRC, that won't work, since the DefaultServlet does not include the <url-pattern> when it forms the path to the static content. I believe you have to map everything but the static location(s) to the app's own servlets, and then let the normal default pattern of "/" handle the rest. (Haven't tried this in a while, so it might be different now.) Could also subclass the default servlet, and implement your own doGet(), etc., methods to include the <url-pattern>. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
