[1/2] git commit: Adds security constraints to web.xml to block access to pure JSP files

lukaszlenart Sun, 02 Mar 2014 12:23:24 -0800

Repository: struts
Updated Branches:
  refs/heads/feature/move-jsps-under-webinf 4360a0666 -> d07e8044b



Adds security constraints to web.xml to block access to pure JSP files


Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/95b309a9
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/95b309a9
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/95b309a9

Branch: refs/heads/feature/move-jsps-under-webinf
Commit: 95b309a9b93eebadb589a335947598d815add80b
Parents: 4360a06
Author: Lukasz Lenart <lukaszlen...@apache.org>
Authored: Sun Mar 2 21:13:38 2014 +0100
Committer: Lukasz Lenart <lukaszlen...@apache.org>
Committed: Sun Mar 2 21:13:38 2014 +0100

----------------------------------------------------------------------
 apps/blank/src/main/webapp/WEB-INF/web.xml         |  5 +++++
 apps/jboss-blank/src/main/webapp/WEB-INF/web.xml   |  3 ---
 apps/mailreader/src/main/webapp/WEB-INF/web.xml    | 17 +++++++++++++++++
 apps/portlet/src/main/webapp/WEB-INF/web.xml       | 17 +++++++++++++++++
 apps/rest-showcase/src/main/webapp/WEB-INF/web.xml | 17 +++++++++++++++++
 apps/showcase/src/main/webapp/WEB-INF/web.xml      | 17 +++++++++++++++++
 6 files changed, 73 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/struts/blob/95b309a9/apps/blank/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/apps/blank/src/main/webapp/WEB-INF/web.xml 
b/apps/blank/src/main/webapp/WEB-INF/web.xml
index e8c0f46..f15252b 100644
--- a/apps/blank/src/main/webapp/WEB-INF/web.xml
+++ b/apps/blank/src/main/webapp/WEB-INF/web.xml
@@ -31,4 +31,9 @@
         </auth-constraint>
     </security-constraint>
 
+    <security-role>
+        <description>Don't assign users to this role</description>
+        <role-name>no-users</role-name>
+    </security-role>
+
 </web-app>

http://git-wip-us.apache.org/repos/asf/struts/blob/95b309a9/apps/jboss-blank/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/apps/jboss-blank/src/main/webapp/WEB-INF/web.xml 
b/apps/jboss-blank/src/main/webapp/WEB-INF/web.xml
index 88c6fc8..d1cf020 100644
--- a/apps/jboss-blank/src/main/webapp/WEB-INF/web.xml
+++ b/apps/jboss-blank/src/main/webapp/WEB-INF/web.xml
@@ -27,9 +27,6 @@
         <auth-constraint>
             <role-name>no-users</role-name>
         </auth-constraint>
-        <user-data-constraint>
-            <transport-guarantee>NONE</transport-guarantee>
-        </user-data-constraint>
     </security-constraint>
     
     <security-role>

http://git-wip-us.apache.org/repos/asf/struts/blob/95b309a9/apps/mailreader/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/apps/mailreader/src/main/webapp/WEB-INF/web.xml 
b/apps/mailreader/src/main/webapp/WEB-INF/web.xml
index 9b35ec3..b01d864 100644
--- a/apps/mailreader/src/main/webapp/WEB-INF/web.xml
+++ b/apps/mailreader/src/main/webapp/WEB-INF/web.xml
@@ -27,4 +27,21 @@
         <welcome-file>index.html</welcome-file>
     </welcome-file-list>
 
+    <!-- Restricts access to pure JSP files - access available only via Struts 
action -->
+    <security-constraint>
+        <display-name>No direct JSP access</display-name>
+        <web-resource-collection>
+            <web-resource-name>No-JSP</web-resource-name>
+            <url-pattern>*.jsp</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>no-users</role-name>
+        </auth-constraint>
+    </security-constraint>
+
+    <security-role>
+        <description>Don't assign users to this role</description>
+        <role-name>no-users</role-name>
+    </security-role>
+
 </web-app>

http://git-wip-us.apache.org/repos/asf/struts/blob/95b309a9/apps/portlet/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/apps/portlet/src/main/webapp/WEB-INF/web.xml 
b/apps/portlet/src/main/webapp/WEB-INF/web.xml
index f424419..d4a3c79 100644
--- a/apps/portlet/src/main/webapp/WEB-INF/web.xml
+++ b/apps/portlet/src/main/webapp/WEB-INF/web.xml
@@ -28,4 +28,21 @@
        </listener-class>
     </listener>
 
+    <!-- Restricts access to pure JSP files - access available only via Struts 
action -->
+    <security-constraint>
+        <display-name>No direct JSP access</display-name>
+        <web-resource-collection>
+            <web-resource-name>No-JSP</web-resource-name>
+            <url-pattern>*.jsp</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>no-users</role-name>
+        </auth-constraint>
+    </security-constraint>
+
+    <security-role>
+        <description>Don't assign users to this role</description>
+        <role-name>no-users</role-name>
+    </security-role>
+
 </web-app>

http://git-wip-us.apache.org/repos/asf/struts/blob/95b309a9/apps/rest-showcase/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/apps/rest-showcase/src/main/webapp/WEB-INF/web.xml 
b/apps/rest-showcase/src/main/webapp/WEB-INF/web.xml
index d10c214..694c349 100644
--- a/apps/rest-showcase/src/main/webapp/WEB-INF/web.xml
+++ b/apps/rest-showcase/src/main/webapp/WEB-INF/web.xml
@@ -26,4 +26,21 @@
         <welcome-file>index.jsp</welcome-file>
     </welcome-file-list>
 
+    <!-- Restricts access to pure JSP files - access available only via Struts 
action -->
+    <security-constraint>
+        <display-name>No direct JSP access</display-name>
+        <web-resource-collection>
+            <web-resource-name>No-JSP</web-resource-name>
+            <url-pattern>*.jsp</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>no-users</role-name>
+        </auth-constraint>
+    </security-constraint>
+
+    <security-role>
+        <description>Don't assign users to this role</description>
+        <role-name>no-users</role-name>
+    </security-role>
+
 </web-app>

http://git-wip-us.apache.org/repos/asf/struts/blob/95b309a9/apps/showcase/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/apps/showcase/src/main/webapp/WEB-INF/web.xml 
b/apps/showcase/src/main/webapp/WEB-INF/web.xml
index 62335a4..f3b88e9 100644
--- a/apps/showcase/src/main/webapp/WEB-INF/web.xml
+++ b/apps/showcase/src/main/webapp/WEB-INF/web.xml
@@ -194,4 +194,21 @@
         <welcome-file>index.html</welcome-file>
     </welcome-file-list>
 
+    <!-- Restricts access to pure JSP files - access available only via Struts 
action -->
+    <security-constraint>
+        <display-name>No direct JSP access</display-name>
+        <web-resource-collection>
+            <web-resource-name>No-JSP</web-resource-name>
+            <url-pattern>*.jsp</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>no-users</role-name>
+        </auth-constraint>
+    </security-constraint>
+
+    <security-role>
+        <description>Don't assign users to this role</description>
+        <role-name>no-users</role-name>
+    </security-role>
+
 </web-app>

[1/2] git commit: Adds security constraints to web.xml to block access to pure JSP files

Reply via email to