security-constraint blocks welcome file with 403

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

security-constraint blocks welcome file with 403

Greg Huber
Hello,

If I add a security constrait to block direct access to jsp outside of
/WEB-INF/ it blocks the welcome-file with a 403.  Is there a caveat for
using this here?

<!-- Restricts access to pure JSP files - access available only via Struts
action -->
     <security-constraint>
         <display-name>No direct JSP access</display-name>
         <web-resource-collection>
             <web-resource-name>No-JSP</web-resource-name>
             <url-pattern>*.jsp</url-pattern>
         </web-resource-collection>
         <auth-constraint>
             <role-name>no-users</role-name>
         </auth-constraint>
     </security-constraint>

     <security-role>
         <description>Don't assign users to this role</description>
         <role-name>no-users</role-name>
     </security-role>

     <welcome-file-list>
         <welcome-file>WEB-INF/jsps/index.jsp</welcome-file>
     </welcome-file-list>

Cheers Greg
Reply | Threaded
Open this post in threaded view
|

Re: security-constraint blocks welcome file with 403

markt
On 19/06/17 08:24, Greg Huber wrote:
> Hello,
>
> If I add a security constrait to block direct access to jsp outside of
> /WEB-INF/ it blocks the welcome-file with a 403.  Is there a caveat for
> using this here?

Your welcome file is invalid. It should be a file name without a path.
Remember it applies to all directories, not just the web application root.

Security constraints apply to welcome files.

You'll need to use a servlet to do a forward to "WEB-INF/jsps/index.jsp"

Mark


>
> <!-- Restricts access to pure JSP files - access available only via Struts
> action -->
>      <security-constraint>
>          <display-name>No direct JSP access</display-name>
>          <web-resource-collection>
>              <web-resource-name>No-JSP</web-resource-name>
>              <url-pattern>*.jsp</url-pattern>
>          </web-resource-collection>
>          <auth-constraint>
>              <role-name>no-users</role-name>
>          </auth-constraint>
>      </security-constraint>
>
>      <security-role>
>          <description>Don't assign users to this role</description>
>          <role-name>no-users</role-name>
>      </security-role>
>
>      <welcome-file-list>
>          <welcome-file>WEB-INF/jsps/index.jsp</welcome-file>
>      </welcome-file-list>
>
> Cheers Greg
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: security-constraint blocks welcome file with 403

Addy D
On Mon, Jun 19, 2017 at 3:09 PM, Mark Thomas <[hidden email]> wrote:

> On 19/06/17 08:24, Greg Huber wrote:
> > Hello,
> >
> > If I add a security constrait to block direct access to jsp outside of
> > /WEB-INF/ it blocks the welcome-file with a 403.  Is there a caveat for
> > using this here?
>
> Your welcome file is invalid. It should be a file name without a path.
> Remember it applies to all directories, not just the web application root.
>
> Security constraints apply to welcome files.
>
> You'll need to use a servlet to do a forward to "WEB-INF/jsps/index.jsp"
>
> Mark
>
>
> >
> > <!-- Restricts access to pure JSP files - access available only via
> Struts
> > action -->
> >      <security-constraint>
> >          <display-name>No direct JSP access</display-name>
> >          <web-resource-collection>
> >              <web-resource-name>No-JSP</web-resource-name>
> >              <url-pattern>*.jsp</url-pattern>
> >          </web-resource-collection>
> >          <auth-constraint>
> >              <role-name>no-users</role-name>
> >          </auth-constraint>
> >      </security-constraint>
> >
> >      <security-role>
> >          <description>Don't assign users to this role</description>
> >          <role-name>no-users</role-name>
> >      </security-role>
> >
> >      <welcome-file-list>
> >          <welcome-file>WEB-INF/jsps/index.jsp</welcome-file>
> >      </welcome-file-list>
> >
> > Cheers Greg
> >
>
> This is what I have done using spring.

    @RequestMapping(value = { "/", "/login" })
    public ModelAndView login(@RequestParam(value = "error", required =
false) String error,
            @RequestParam(value = "logout", required = false) String
logout) {
        ModelAndView modelAndView = new ModelAndView();
        modelAndView.setViewName("login");
        return modelAndView;
    }

And my login.jsp file resides inside the WEB-INF/jsp/login.jsp

In case if you are using spring. ;)


>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: security-constraint blocks welcome file with 403

Greg Huber
In reply to this post by markt
Marks,

Thanks for the info, originally I was using just index.jsp, but this also
gets blocked with a 403:

<welcome-file>index.jsp</welcome-file>

I will look into the servlet suggestion.

Cheers Greg

On 19 June 2017 at 10:39, Mark Thomas <[hidden email]> wrote:

> On 19/06/17 08:24, Greg Huber wrote:
> > Hello,
> >
> > If I add a security constrait to block direct access to jsp outside of
> > /WEB-INF/ it blocks the welcome-file with a 403.  Is there a caveat for
> > using this here?
>
> Your welcome file is invalid. It should be a file name without a path.
> Remember it applies to all directories, not just the web application root.
>
> Security constraints apply to welcome files.
>
> You'll need to use a servlet to do a forward to "WEB-INF/jsps/index.jsp"
>
> Mark
>
>
> >
> > <!-- Restricts access to pure JSP files - access available only via
> Struts
> > action -->
> >      <security-constraint>
> >          <display-name>No direct JSP access</display-name>
> >          <web-resource-collection>
> >              <web-resource-name>No-JSP</web-resource-name>
> >              <url-pattern>*.jsp</url-pattern>
> >          </web-resource-collection>
> >          <auth-constraint>
> >              <role-name>no-users</role-name>
> >          </auth-constraint>
> >      </security-constraint>
> >
> >      <security-role>
> >          <description>Don't assign users to this role</description>
> >          <role-name>no-users</role-name>
> >      </security-role>
> >
> >      <welcome-file-list>
> >          <welcome-file>WEB-INF/jsps/index.jsp</welcome-file>
> >      </welcome-file-list>
> >
> > Cheers Greg
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>