This week's book giveaway is in the Jobs Discussion forum.
We're giving away four copies of Java Interview Guide and have Anthony DePalma on-line!
See this thread for details.
The moose likes Websphere and the fly likes JSP hiding Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Java Interview Guide this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Products » Websphere
Bookmark "JSP hiding" Watch "JSP hiding" New topic

JSP hiding

Keith Kamholz

Joined: Jan 03, 2003
Posts: 2
Hey everyone,
I'm adding security to an application that's already completely working. I'm using struts and websphere. We want to hide the JSP's so that the user cannot type in the URL to the individual pages. A common practice to hide JSP's is to place them in the WEB-INF directory. I did this, but for some reason, after logging in, the user can type root/EditPage.jsp to access that page. For some reason, they can also type in root/WEB-INF/JSP/EditPage.jsp and the page is displayed. The pages physically reside in the WEB-INF/JSP folder. It's really weird.
Does anyone have any idea what might be going on here? The jsp's shouldn't even be viewable. Any help would be greatly appreciated.
- Keith
Rahul Mahindrakar
Ranch Hand

Joined: Jul 28, 2000
Posts: 1868
Yes Keith I agree to you. As the Servlet specification states

The WEB-INF node is not part of the public
document tree of the application. No file contained in the WEB-INF directory may
be served directly to a client by the container.
However, the contents of the WEBINF
directory are visible to servlet code using the getResource and
getResourceAsStream method calls on the ServletContext. Hence, if the
Application Developer needs access, from servlet code, to application specific
configuration information that he does not wish to be exposed to the web client, he
may place it under this directory. Since requests are matched to resource
mappings case-sensitively, client requests for ‘/WEB-INF/foo’, ‘/WEb-iNf/foo’,
for example, should not result in contents of the web application located under /
WEB-INF being returned, nor any form of directory listing thereof.

[ January 03, 2003: Message edited by: Rahul Mahindrakar ]
Rahul Mahindrakar
Ranch Hand

Joined: Jul 28, 2000
Posts: 1868
One thing you can do, which is a slightly tedious process is to precompile the jsp's and since they are servlets map the .jsp extension to the class files in the web.xml.
You may even remove the jsp's from the application since they are no longer required.
I agree. Here's the link:
subject: JSP hiding
It's not a secret anymore!