This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
Hey everyone, I'm adding security to an application that's already completely working. I'm using struts and websphere. We want to hide the JSP's so that the user cannot type in the URL to the individual pages. A common practice to hide JSP's is to place them in the WEB-INF directory. I did this, but for some reason, after logging in, the user can type root/EditPage.jsp to access that page. For some reason, they can also type in root/WEB-INF/JSP/EditPage.jsp and the page is displayed. The pages physically reside in the WEB-INF/JSP folder. It's really weird. Does anyone have any idea what might be going on here? The jsp's shouldn't even be viewable. Any help would be greatly appreciated. - Keith
Yes Keith I agree to you. As the Servlet specification states
The WEB-INF node is not part of the public document tree of the application. No file contained in the WEB-INF directory may be served directly to a client by the container. However, the contents of the WEBINF directory are visible to servlet code using the getResource and getResourceAsStream method calls on the ServletContext. Hence, if the Application Developer needs access, from servlet code, to application specific configuration information that he does not wish to be exposed to the web client, he may place it under this directory. Since requests are matched to resource mappings case-sensitively, client requests for ‘/WEB-INF/foo’, ‘/WEb-iNf/foo’, for example, should not result in contents of the web application located under / WEB-INF being returned, nor any form of directory listing thereof.
[ January 03, 2003: Message edited by: Rahul Mahindrakar ]
Joined: Jul 28, 2000
One thing you can do, which is a slightly tedious process is to precompile the jsp's and since they are servlets map the .jsp extension to the class files in the web.xml. You may even remove the jsp's from the application since they are no longer required.