Normally in any web application, we will restrict the JSP not to be accessible by directly hitting the JSP URL in the client browser.It’s the servlet (or the controller) Job to forward the request to the desired JSP Pages and to render the JSP in the browser.
We can restrict the jsp pages from the direct access by the user, by adding the below entry in web.xml
Thus by the above entry, the JSP pages (also the other resources) in the directory "$applicationcontext/pages" will be accessible only through the servlet and not via the direct hit by the user in the browser.
Note: we can also achieve this security constraint for JSP, by placing the JSP files inside the web-inf directory.
We can restrict the jsp pages from the direct access by the user, by adding the below entry in web.xml
| <security-constraint> <web-resource-collection> <web-resource-name>Access to JSP</web-resource-name> <url-pattern>/pages/*</url-pattern>--Security constraint will apply to the URL mentioned in this tag <http-method>GET</http-method> --The http method for which this security constraint need to be applied <http-method>POST</http-method> </web-resource-collection> <auth-constraint/> </security-constraint> |
Thus by the above entry, the JSP pages (also the other resources) in the directory "$applicationcontext/pages" will be accessible only through the servlet and not via the direct hit by the user in the browser.
Note: we can also achieve this security constraint for JSP, by placing the JSP files inside the web-inf directory.
No comments:
Post a Comment