In web.xml, you can add this security-constraints.
<security-constraint>
<display-name>JSP Protection</display-name>
<web-resource-collection>
<web-resource-name>SecureJSPPages</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>nobody</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>
Nobody should be in this role so JSP files are protected from direct access.
</description>
<role-name>nobody</role-name>
</security-role>
<description>
Nobody should be in this role so JSP files are protected from direct access.
</description>
<role-name>nobody</role-name>
</security-role>
Sometime, some servlet or jsp may be not protected.
<security-constraint>
<display-name>JSP Protection</display-name>
<web-resource-collection>
<web-resource-name>SecureJSPPages</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>nobody</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>NOT JSP Protection</display-name>
<web-resource-collection>
<web-resource-name>NOTSecureJSPPages</web-resource-name>
<url-pattern>/common/L7check.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>
<security-role>
<description>
Nobody should be in this role so JSP files are protected from direct access.
</description>
<role-name>nobody</role-name>
</security-role>
<display-name>NOT JSP Protection</display-name>
<web-resource-collection>
<web-resource-name>NOTSecureJSPPages</web-resource-name>
<url-pattern>/common/L7check.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>
<security-role>
<description>
Nobody should be in this role so JSP files are protected from direct access.
</description>
<role-name>nobody</role-name>
</security-role>
http://java.sun.com/xml/ns/j2ee/
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd
'web' 카테고리의 다른 글
apache httpd와 light httpd의 성능 비교 (0) | 2009.07.13 |
---|---|
Restarting Tomcat, log4j error (0) | 2009.07.09 |
아파치 에러 해결 No space left on device (0) | 2009.02.17 |
Content-disposition 속성 (0) | 2009.02.13 |
dbcp가 자주 끊길 때.. (0) | 2009.02.11 |