You could always position your jsp's inside the WEB-INF dir....
This will enable you to access them only through server redirects rather
than absolute url's
Sharon
-----Original Message-----
From: Kiran Badi [mailto:ki...@poonam.org]
Sent: Tuesday, June 19, 2012 3:10 AM
To: Tomcat Users List
Subject: Protect JSP from Direct Access in Tomcat 7.0.xx
Hi All,
I need your guidance again.I have bunch of JSP's close to 100+ which I
need to protect it from direct access.
I have this mapping in web xml and this is not working,It seems that
probably i need to define a role first and then use below settings.But
unfortunately my app is open internet application which does not use
realm at all.
<security-constraint>
<display-name>DenyAccesstoDirectJSP</display-name>
<web-resource-collection>
<web-resource-name>sample.jsp</web-resource-name>
<description>Sample confirmation JSP</description>
<url-pattern>*.jsp</url-pattern> <http-method>GET</http-method>
<http-method>POST</http-method> </web-resource-collection>
</security-constraint>
All my jsp's are residing in the webpages folder of project directory.I
know this is incorrect and probably gives direct access to jsp's.
So I have some clarification to ask,
1. is their a way to tell tomcat to not to serve direct jsp's probably
via web xml
2. Is their any extra setting that is required if I move my JSP's inside
web-inf.I created a folder under web-inf and create sample hello
world.jsp and then tried to invoke that jsp but got 404 message.
- Kiran
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
