This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Struts and the fly likes  Restricting direct access to JSP files Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Frameworks » Struts
Bookmark " Restricting direct access to JSP files" Watch " Restricting direct access to JSP files" New topic
Author

Restricting direct access to JSP files

Smd Muneer
Greenhorn

Joined: Oct 05, 2007
Posts: 8
Hi,

Can anybody tell me How to restrict direct access to JSP files in struts.

Thanks in advance


Thanks & regards,
SMD Muneer.
Merrill Higginson
Ranch Hand

Joined: Feb 15, 2005
Posts: 4864
There are many who advocate putting all JSPs in the WEB-INF directory. However, I prefer the method described in this article under the heading Safeguard your JSP pages.

The main reason I don't like putting things in the WEB-INF directory is that it messes up the relationship between the JSPs and the static files such as css and image files. These cannot be put in WEB-INF because you do want direct access to these files, so you end up with two different directory trees: one for the JSPs and one for the static files.

Many web devlopment tools don't work well with this arrangement. To me it just seems to make the organization of the files more intuitive to keep the JSPs in the web context root and use security to restrict direct access to them.
[ October 06, 2007: Message edited by: Merrill Higginson ]

Merrill
Consultant, Sima Solutions
Smd Muneer
Greenhorn

Joined: Oct 05, 2007
Posts: 8
Hi,

Thanks For reply.

I followed the process which defined in the "Safeguard your JSP pages" article but I am still able to access the jsps directly. Please make note that I put all my jsps in folder called JSPs.
Is any other way to achieve this I don't want put my jsps in Web-Inf folder.
Please help me..

Thank You So Much...
Smd Muneer
Merrill Higginson
Ranch Hand

Joined: Feb 15, 2005
Posts: 4864
What they don't explain in the article is that the stanzas in a web.xml file must be in a certain order, and if they aren't, they may not work as expected. Try moving your security-constraint stanza toward the end of your web.xml file just before the </web-app> tag and test again.

If you're still unable to figure it out, post your web.xml file, and we'll help you debug it.
Smd Muneer
Greenhorn

Joined: Oct 05, 2007
Posts: 8
Hi,
this is my web.xml please debug it


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app id="WebApp">
<display-name>DESMexicoWeb</display-name>

<filter>
<filter-name>SessionFilter</filter-name>
<display-name>SessionFilter</display-name>
<filter-class>com.tcs.des.filters.SessionFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>SessionFilter</filter-name>
<url-pattern>/loginprocess.do</url-pattern>
</filter-mapping>
<listener>
<listener-class>com.tcs.des.listeners.LookupListener</listener-class>
</listener>
<listener>
<listener-class>com.tcs.des.listeners.SessionListener</listener-class>
</listener>
<servlet>
<servlet-name>action</servlet-name>
<servlet-class>org.apache.struts.action.ActionServlet</servlet-class>
<init-param>
<param-name>config</param-name>
<param-value>/WEB-INF/struts-config.xml</param-value>
</init-param>
<init-param>
<param-name>debug</param-name>
<param-value>2</param-value>
</init-param>
<init-param>
<param-name>detail</param-name>
<param-value>2</param-value>
</init-param>
<load-on-startup>2</load-on-startup>
</servlet>
<servlet>
<servlet-name>CrdCardVerifier</servlet-name>
<display-name>CrdCardVerifier</display-name>
<servlet-class>com.tcs.des.verifiers.CrdCardVerifier</servlet-class>
</servlet>
<servlet>
<servlet-name>RetenderVerifier</servlet-name>
<display-name>RetenderVerifier</display-name>
<servlet-class>com.tcs.des.verifiers.RetenderVerifier</servlet-class>
</servlet>
<servlet>
<servlet-name>GetPromotorDetail</servlet-name>
<display-name>GetPromotorDetail</display-name>
<servlet-class>com.tcs.des.verifiers.GetPromotorDetail</servlet-class>
</servlet>
<servlet>
<servlet-name>GetDocumentStatus</servlet-name>
<display-name>GetDocumentStatus</display-name>
<servlet-class>com.tcs.des.verifiers.GetDocumentStatus</servlet-class>
</servlet>

<servlet>
<servlet-name>rpcrouter</servlet-name>
<display-name>Apache-SOAP RPC Router</display-name>
<description>no description</description>
<servlet-class>com.ibm.soap.server.http.WASRPCRouterServlet</servlet-class>
<init-param>
<param-name>faultListener</param-name>
<param-value>org.apache.soap.server.DOMFaultListener</param-value>
</init-param>
</servlet>
<servlet>
<servlet-name>messagerouter</servlet-name>
<display-name>Apache-SOAP Message Router</display-name>
<description>no description</description>
<servlet-class>com.ibm.soap.server.http.WASMessageRouterServlet</servlet-class>
<init-param>
<param-name>faultListener</param-name>
<param-value>org.apache.soap.server.DOMFaultListener</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>action</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>CrdCardVerifier</servlet-name>
<url-pattern>/CrdCardVerifier</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>RetenderVerifier</servlet-name>
<url-pattern>/RetenderVerifier</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>GetPromotorDetail</servlet-name>
<url-pattern>/GetPromotorDetail</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>GetDocumentStatus</servlet-name>
<url-pattern>/GetDocumentStatus</url-pattern>
</servlet-mapping>

<servlet-mapping>
<servlet-name>rpcrouter</servlet-name>
<url-pattern>/servlet/rpcrouter</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>messagerouter</servlet-name>
<url-pattern>/servlet/messagerouter</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>15</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>login.jsp</welcome-file>
</welcome-file-list>
<taglib>
<taglib-uri>/WEB-INF/struts-bean.tld</taglib-uri>
<taglib-location>/WEB-INF/struts-bean.tld</taglib-location>
</taglib>

<taglib>
<taglib-uri>/WEB-INF/struts-html.tld</taglib-uri>
<taglib-location>/WEB-INF/struts-html.tld</taglib-location>
</taglib>

<taglib>
<taglib-uri>/WEB-INF/struts-logic.tld</taglib-uri>
<taglib-location>/WEB-INF/struts-logic.tld</taglib-location>
</taglib>

<!-- Nested Tag Library Descriptor -->
<taglib>
<taglib-uri>/WEB-INF/struts-nested.tld</taglib-uri>
<taglib-location>/WEB-INF/struts-nested.tld</taglib-location>
</taglib>

<!-- Template Tag Library Descriptor -->
<taglib>
<taglib-uri>/WEB-INF/struts-template.tld</taglib-uri>
<taglib-location>/WEB-INF/struts-template.tld</taglib-location>
</taglib>

<taglib>
<taglib-uri>/WEB-INF/struts-tiles.tld</taglib-uri>
<taglib-location>/WEB-INF/struts-tiles.tld</taglib-location>
</taglib>
<resource-ref id="ResourceRef_1182937761984">
<res-ref-name>jdbc/desmxds</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Application</res-auth>
<res-sharing-scope>Shareable</res-sharing-scope>
</resource-ref>


<security-constraint>
<web-resource-collection>
<web-resource-name>SecureDesPages</web-resource-name>
<description>Security constraint for jsp pages</description>
<url-pattern>*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>


<ejb-local-ref id="EJBLocalRef_1185291957420">
<ejb-ref-name>ejb/WorkFlowLocalEJB</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
<local-home>com.tcs.des.ejb.sessions.workflow.WorkFlowManagerLocalHome</local-home>
<local>com.tcs.des.ejb.sessions.workflow.WorkFlowManagerLocal</local>
<ejb-link>DESMexicoEJB.jar#WorkFlowManager</ejb-link>
</ejb-local-ref>
<ejb-local-ref id="EJBLocalRef_1185539216944">
<ejb-ref-name>ejb/SearchLocalEJB</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
<local-home>com.tcs.des.ejb.sessions.search.SearchServiceLocalHome</local-home>
<local>com.tcs.des.ejb.sessions.search.SearchServiceLocal</local>
<ejb-link>DESMexicoEJB.jar#SearchService</ejb-link>
</ejb-local-ref>




</web-app>


Thanks,
Smd Muneer
Merrill Higginson
Ranch Hand

Joined: Feb 15, 2005
Posts: 4864
I cut and pasted your security-contstraint stanza into my web application and deployed it to JBoss 2.0. When I tried to access any file with a .jsp extension, I got HTTP Error 403, which is what should happen.

I'm not sure why it's not working for you. Are there any more details that you can give us?
 
jQuery in Action, 2nd edition
 
subject: Restricting direct access to JSP files
 
Similar Threads
How to call a method in action passing a parameter inside jsp with struts 1
JSP code to complete a task
Application to serve files.
web.xml entry for jsp hiding
Doubt in Web-app structure