aspose file tools*
The moose likes Tomcat and the fly likes Protecting JSP Pages after Deployment to Tomcat Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of The Java EE 7 Tutorial Volume 1 or Volume 2 this week in the Java EE forum
or jQuery UI in Action in the JavaScript forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Protecting JSP Pages after Deployment to Tomcat" Watch "Protecting JSP Pages after Deployment to Tomcat" New topic
Author

Protecting JSP Pages after Deployment to Tomcat

Sunday Oyeniyi
Greenhorn

Joined: Jul 12, 2005
Posts: 14
I need somebody to assist me with how to protect my JSP pages after its been deployed to tomcat. Ideally, I need a situation where Tomcat will not unpack my WAR file i.e. everything remain inside the WAR file and runs from there and nobody will be able to open the WAR file while the WAR is running on Tomcat.

Thanks in advance.


Performance is Everything!
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12769
    
    5
As I recall, there is a unpackWARs attribute used in server.xml to configure this and the default setting is true.
This documentation for Tomcat 5 describes the use in the Host element.
Bill
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

What do you mean protect them?
Protect them from whom?


Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
Sunday Oyeniyi
Greenhorn

Joined: Jul 12, 2005
Posts: 14
We actually want to implement dual control over our applications that are deployed on TOMCAT. We want to protect the JSP from our in-house administrators who could go into the webapps folder and open up jsp pages and start modifyng them. Really, what we want to achieve is for Tomcat not to deploy the WAR files and also protect the WAR file with a password. Any useful information in this regard will be highly appreciated.
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

If you deploy a war file by dropping it into the webapps directory, it will be unpacked by default. If you keep it elsewhere and deploy it by creating a context fragment file then, as William mentioned, you can set the unpackWar attribute to false.
http://tomcat.apache.org/tomcat-5.5-doc/config/context.html

Suggestion:
Have you considered pre-compiling your JSPs and removing the source files from the webapp altogether?
[ November 13, 2006: Message edited by: Ben Souther ]
Sunday Oyeniyi
Greenhorn

Joined: Jul 12, 2005
Posts: 14
Thank you Ben Souther for your response - pls educate me or throw more light on what you mean by pre-compiling my JSPs. How do I pre-compile the JSP? Does that mean that I will leave only the .class files that are generated in tomcat work folder and remove all the .jsp files? Bearing in mind that what exactly I want to achieve is to dual-control any change that will be effected on the jsps via a password. Pls assist me further!
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

First, 'pls' is not a word.
See UseRealWords to see why we so strongly discourage the use of non-English words here.

On to your question: There are ANT tasks for precompiling all of your JSPs, and yes, it means that you can ship only your .class files.
Besides making it very difficult for someone to tinker with them, you won't have to wait for the JSP to be compiled the first time you hit it.

I haven't done this myself so I won't be able to walk you through it but a Google search or two should get you started.
http://www.google.com/search?hl=en&q=ANT+Precompile+JSP&btnG=Google+Search
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Protecting JSP Pages after Deployment to Tomcat