Was going thro some security sites and realized that it is possible to obtain the source of a JSp page. It is said that in some tomcat implementations instead of the trailing "p" in .jsp if u use "%70" (the char for 'p') the server incorrectly recognizes this as a request for a non .jsp file and pumps out the file onto the client. I tried the above in tomcat 3.3 on a WinMe platform and a SunSolaris ver 5 platform, and it DINT show the source code. The above is described at http://www.jadcentral.com/newscentral/feature.jsp?feature_ID=23 What i was worried about is that, i had passwords to the Mysql database in the .jsp file(s) itself. after reading this security issue, i have since removed it from the file(s). Are there any other ways by which one may view the source of a .jsp file?
Web and Database Designer for the Factoids Program<br />Computing and Media Services<br />Syracuse University
You should not have database passwords hardcoded in JSP pages. You can make the password embeded in database access JavaBeans, which are compiled and located under WEB-INF/ (not accessible from the web server). You should also configure your database so that it only accepts connection with that password from your trusted server domains.
"Goldie TheDude", The Java Ranch has thousands of visitors every week, many with surprisingly similar names. To avoid confusion we have a naming convention, described at http://www.javaranch.com/name.jsp. We require names to have at least two words, separated by a space, and strongly recommend that you use your full real name. Please edit your profile and select a new name which meets the requirements. Thanks. Dave
1) How to distribute .class files only for JSPs is explained quite clearly in the JSP pecs, Appendix A. 2) That does not address your problem with passwords. Coded 'in clear' in the .jsp, they will also be in clear in the generated .java and the .class files. 3) I think you have a design problem. Regards, Guy