0

I am using struts 1.2 and using global-forwards to access my jsp files and had also put security constraint in my web.xml file even after putting /pages/* in security constraint i can control direct access to my jsp's through url http://localhost:8080/mywebsite/pages/home.jsp but whenever someone point mouse around my menu item he is able to see url like http://localhost:8080/mywebsite/home.do which i am displaying in iframe and so nothing can stop direct accessing to home.jsp by hitting above url and able to see home.jsp which i only want to display in iframe of my index.jsp below is the security contraint i am using also i connot use constraint like <url-pattern>*.do</url-pattern> this will stop even to display home.jsp in an iframe too .

<security-constraint>
    <web-resource-collection>
        <web-resource-name>JSP Files</web-resource-name>
        <description>No direct access to JSP files</description>


        <url-pattern>/pages/*</url-pattern>

  <http-method>POST</http-method>
        <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description>No direct browser access to JSP files</description>
        <role-name>NobodyHasThisRole</role-name>
    </auth-constraint>
</security-constraint>

here is configration in my struts-config.xml

<global-forwards>

    <forward name="home" path="/home.do"/>
 </global-forwards>

<action-mappings>
<action  path="/home"  forward="/pages/home.jsp"/>
</action-mappings>
Visruth
  • 3,430
  • 35
  • 48
Shashank
  • 93
  • 1
  • 6

1 Answers1

0

Place you JSP files under /WEB-INF. The server will not serve anything from within the /WEB-INF folder. You don't even need a security rule in web.xml. See "Jakarta Struts - Seven Lessons from the Trenches", chapter 4, "Protect JSPs Behind WEB-INF" for more details.

Having done that you then control acces to you home page through a Struts action. That's the entire idea with using Struts, so that you no longer access JSP files directly but always go through a *.do action.

If you want to protect your JSP for all requests except when the requests comes from an iframe, then that's not possible.

Bogdan
  • 23,890
  • 3
  • 69
  • 61
  • see i have already tried this but every browser displays the url information using in the application like this http://localhost:8080/mywebsite/home.do and your home.do is mapped to /WEB-INF/pages/home.jsp in the struts-config.xml so whenever someone click on the url http://localhost:8080/mywebsite/home.do he will have a direct access to home.jsp – Shashank Mar 14 '15 at 17:05
  • @SanjeevSingh: what you are trying to do is not straight forward because of how HTTP works. What's so special about home.jsp for you to need this behavior from your app? – Bogdan Mar 14 '15 at 17:09