-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Leo,
I'll chime in. :) On 9/10/2010 10:13 AM, Leo Donahue - PLANDEVX wrote: > I've read that you can secure direct access to a JSP by placing it in > the WEB-INF directory. I know you can also secure direct access to a > JSP by creating a security constraint using URL patterns and > assigning role names that do not exist. > > I've also "heard" that when you secure a URL using a security > constraint, that you are not securing the "resource". That depends on what you think the "resource" is. If it's a file on a disk, than it is only "secure" if you secure all ways to retrieve it. If you have multiple URLs that reference the same file on a disk, then yes, you can "secure" one URL and not another and therefore your file is not entirely "secure". Chuck doesn't come right out and say this, but I believe he's hinting at the fact that files on a disk are largely irrelevant: they are an implementation detail where HTTP is concerned: the URL is a request for a resource. Securing that URL is securing the resource. The fact that multiple resources might result in the same response (from the same file on the disk) is just a coincidence. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyKTG0ACgkQ9CaO5/Lv0PAPQACfdGFGWHdF6gKShPz1xKvn+rEy lf8An1GTe7GD68TwDNtKDjbXl7C05I01 =6j0Z -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
