• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Hiding jsp pages behind WEB-INF

 
david allen
Ranch Hand
Posts: 185
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,

I would like to hide all of my jsp pages behind WEB-INF so they can not be accessed by a user if they type the url into the a browser.

Is this possible?

If it is and I do put them behind WEB-INF do I have to register servlet.xml?

Any pointer would be appreciated

thanks david
 
Bosun Bello
Ranch Hand
Posts: 1510
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Files placed under WEB-INF are not directly accesible to the browser/client. Since the browser needs to render the JSPs, they can not be put there.

You should be able to use servlet mapping to achieve what you want to do.
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
"Bosun",
You have changed your display name from one which is valid to one which ... is not.

Please change it back immediately, accounts with invalid display names get deleted, often without warning.

If you need more information, please check the Naming Rules page.

thanks,
Dave.
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Although I never managed to get it working correctly, it is possible to place JSPs there as long as you only forward or include them from the servlet.

BUT, I've found support for this to be server specific, and even version specific. ie if you managed to get it working in your particular container, there is no guarantee it would work if you had to move to another container, or even another version.

I've learnt to be wary of undocumented trick such as these. Better to put a web server in front and block direct JSP access there.

Dave
 
Eric Pascarello
author
Rancher
Posts: 15385
6
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can not keep a user from typing urls into the browser, you should implement a way to check for their session. If they do not have the session when the page loads then dump them to the main page.

If you also want the URL to be hidden:
You just need to manage the process, and you can not keep the url from being visible. You can use frames, but the url can still be found. Only way you can keep the url the same would be to include 5000000 dynamic includes.

Eric
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64171
83
IntelliJ IDE Java jQuery Mac Mac OS X
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Since I disallow direct access to my JSPS, I always hide them behind WEB-INF so that they can only be accessed via a controller servlet. I've never had any problems doing so from any version of Tomcat or Resin. Any container that does not allow this is "broken" and should be fixed.
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 33671
316
Eclipse IDE Java VI Editor
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I second what Bear said. It is also easier to maintain if the users can't access the JSP directly.

Keep in mind that the JSP is compiled into a servlet. If you were writing the servlet yourself, it would be standard procedure to put it in WEB-INF/classes. So keeping the JSP in WEB-INF is logically consistent.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic