Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Protecting JSP Pages after Deployment to Tomcat

 
Sunday Oyeniyi
Greenhorn
Posts: 14
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I need somebody to assist me with how to protect my JSP pages after its been deployed to tomcat. Ideally, I need a situation where Tomcat will not unpack my WAR file i.e. everything remain inside the WAR file and runs from there and nobody will be able to open the WAR file while the WAR is running on Tomcat.

Thanks in advance.
 
William Brogden
Author and all-around good cowpoke
Rancher
Posts: 13064
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As I recall, there is a unpackWARs attribute used in server.xml to configure this and the default setting is true.
This documentation for Tomcat 5 describes the use in the Host element.
Bill
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What do you mean protect them?
Protect them from whom?
 
Sunday Oyeniyi
Greenhorn
Posts: 14
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We actually want to implement dual control over our applications that are deployed on TOMCAT. We want to protect the JSP from our in-house administrators who could go into the webapps folder and open up jsp pages and start modifyng them. Really, what we want to achieve is for Tomcat not to deploy the WAR files and also protect the WAR file with a password. Any useful information in this regard will be highly appreciated.
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you deploy a war file by dropping it into the webapps directory, it will be unpacked by default. If you keep it elsewhere and deploy it by creating a context fragment file then, as William mentioned, you can set the unpackWar attribute to false.
http://tomcat.apache.org/tomcat-5.5-doc/config/context.html

Suggestion:
Have you considered pre-compiling your JSPs and removing the source files from the webapp altogether?
[ November 13, 2006: Message edited by: Ben Souther ]
 
Sunday Oyeniyi
Greenhorn
Posts: 14
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you Ben Souther for your response - pls educate me or throw more light on what you mean by pre-compiling my JSPs. How do I pre-compile the JSP? Does that mean that I will leave only the .class files that are generated in tomcat work folder and remove all the .jsp files? Bearing in mind that what exactly I want to achieve is to dual-control any change that will be effected on the jsps via a password. Pls assist me further!
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
First, 'pls' is not a word.
See UseRealWords to see why we so strongly discourage the use of non-English words here.

On to your question: There are ANT tasks for precompiling all of your JSPs, and yes, it means that you can ship only your .class files.
Besides making it very difficult for someone to tinker with them, you won't have to wait for the JSP to be compiled the first time you hit it.

I haven't done this myself so I won't be able to walk you through it but a Google search or two should get you started.
http://www.google.com/search?hl=en&q=ANT+Precompile+JSP&btnG=Google+Search
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic