In web.xml, you can add this security-constraints.

<security-constraint>
    <display-name>JSP Protection</display-name>
    <web-resource-collection>
      <web-resource-name>SecureJSPPages</web-resource-name>
      <url-pattern>*.jsp</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>nobody</role-name>
    </auth-constraint>
  </security-constraint>
  <security-role>
    <description>
      Nobody should be in this role so JSP files are protected from direct access.
    </description>
    <role-name>nobody</role-name>
  </security-role>




Sometime, some servlet or jsp may be not protected.


  <security-constraint>
    <display-name>JSP Protection</display-name>
    <web-resource-collection>
      <web-resource-name>SecureJSPPages</web-resource-name>
      <url-pattern>*.jsp</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>nobody</role-name>
    </auth-constraint>
  </security-constraint>
  <security-constraint>
    <display-name>NOT JSP Protection</display-name>
    <web-resource-collection>
      <web-resource-name>NOTSecureJSPPages</web-resource-name>
      <url-pattern>/common/L7check.jsp</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>
  </security-constraint>
 

  <security-role>
    <description>
      Nobody should be in this role so JSP files are protected from direct access.
    </description>
    <role-name>nobody</role-name>
  </security-role>



참조
http://www.jboss.org/file-access/default/members/jbossas/freezone/docs/Server_Configuration_Guide/4/html/J2EE_Declarative_Security_Overview-Web_Content_Security_Constraints.html


http://java.sun.com/xml/ns/j2ee/

http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd


'web' 카테고리의 다른 글

apache httpd와 light httpd의 성능 비교  (0) 2009.07.13
Restarting Tomcat, log4j error  (0) 2009.07.09
How to protect direct calling of jsp  (0) 2009.07.01
아파치 에러 해결 No space left on device  (0) 2009.02.17
Content-disposition 속성  (0) 2009.02.13
dbcp가 자주 끊길 때..  (0) 2009.02.11
Posted by 김용환 '김용환'

댓글을 달아 주세요