Adds security constraints to block access to jsp files
Project: http://git-wip-us.apache.org/repos/asf/struts/repo Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/6f43464f Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/6f43464f Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/6f43464f Branch: refs/heads/develop Commit: 6f43464fcaab59e7345a3e394db4a969cf410d15 Parents: 6b00db2 Author: Lukasz Lenart <lukaszlen...@apache.org> Authored: Tue Feb 25 10:57:21 2014 +0100 Committer: Lukasz Lenart <lukaszlen...@apache.org> Committed: Tue Feb 25 10:57:21 2014 +0100 ---------------------------------------------------------------------- .../jboss-blank/src/main/webapp/WEB-INF/web.xml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/struts/blob/6f43464f/apps/jboss-blank/src/main/webapp/WEB-INF/web.xml ---------------------------------------------------------------------- diff --git a/apps/jboss-blank/src/main/webapp/WEB-INF/web.xml b/apps/jboss-blank/src/main/webapp/WEB-INF/web.xml index 4902479..88c6fc8 100644 --- a/apps/jboss-blank/src/main/webapp/WEB-INF/web.xml +++ b/apps/jboss-blank/src/main/webapp/WEB-INF/web.xml @@ -17,4 +17,24 @@ <welcome-file>index.html</welcome-file> </welcome-file-list> + <!-- Restricts access to pure JSP files - access available only via Struts action --> + <security-constraint> + <display-name>No direct JSP access</display-name> + <web-resource-collection> + <web-resource-name>No-JSP</web-resource-name> + <url-pattern>*.jsp</url-pattern> + </web-resource-collection> + <auth-constraint> + <role-name>no-users</role-name> + </auth-constraint> + <user-data-constraint> + <transport-guarantee>NONE</transport-guarantee> + </user-data-constraint> + </security-constraint> + + <security-role> + <description>Don't assign users to this role</description> + <role-name>no-users</role-name> + </security-role> + </web-app>
