• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Liutauras Vilda
  • Jeanne Boyarsky
  • paul wheaton
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Henry Wong
Saloon Keepers:
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Tim Moores
  • Mikalai Zaikin
Bartenders:
  • Frits Walraven

Protecting JSPs behind WEB-INF and application modules

 
Greenhorn
Posts: 22
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi there,

I am currently developing a web application based on Struts 1.2.4 and deploying on Tomcat 4.1.31 (going live on WebSphere 4.0.3).

I am looking into moving my jsp pages behind the WEB-INF folder of my web application so that they can be made more secure and less accessible.

I am also making use of the struts application module feature, which is working well. I have two modules, application and quotation.

Currently my file structure looks like this:

root
|
|--application/jsp
|
|--quotation/jsp
|
|--WEB-INF

What I would want it to look like is for the application and quotation modules to exist within the WEB-INF directory rather than at the root.

How can this be configured to be like this in Struts? From what I can see the module defaults to the root of the webapp which is what I don't want. Or can someone tell me how the security of the JSPs compares with files being in a modularized directory with them being stored behind the WEB-INF directory?

I hope someone can help me.

Thanks in advance.


Stuart
 
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Stu,

Have not tried what you are asking for but i guess this article would help you in doing what you trying to achieve. The whole article (Struts Best Practices ) can be read @ http://www.javaworld.com/javaworld/jw-09-2004/jw-0913-struts.html

Regards,
Sunoo

Safeguard your JSP pages
Problem
When developers use Web-based applications, they often try to break into the security. The most common habit is to view the source of HTML in the browser and somehow determine the path of JSP pages and access them. The intent is to highlight the vulnerability of JSP pages accessible without authorization. Users who lack authorization to view the source might observe the source URL while sitting with another user who is authorized to work on that specific screen. Later, this unauthorized user could log in to the application and type the URL in the browser. In some cases, such users are able to make their way through.

Struts best practice
The possible solutions to this problem:


Do not let users access any JSP page directly. The starting page can be an HTML document. Add the following lines to the web.xml file to prevent users from accessing any JSP page directly:

<web-app>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>no_access</web-resource-name>
<url-pattern>*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
...
</web-app>




The most popular option is to keep JSP pages behind the WEB-INF folder. This has a few tradeoffs. For example, you cannot take the JavaScript/CSS (Cascading Style Sheets) files behind WEB-INF, and if using Struts modules, you may encounter some context-related problems. Refer to the section "Context-Related Problems," which appears later in this article, to circumvent such issues.
The second approach allows some JSP pages (which are not behind WEB-INF) to be visible directly. It does not require a descriptor file entry, therefore the best practice is to keep the pages behind WEB-INF.
[LIST][LIST]
 
Stuart Bell
Greenhorn
Posts: 22
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks, the entries in the web.xml looks to be a solution we can work with. That should keep the application modules happy and also make our JSPs more secure.

Regards,


Stuart
 
Without deviation from the norm, progress is not possible - Zappa. Tiny ad:
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic