CODEWITHSUNDEEP
jsptomcathtml
Guru
Guru

Reputation: 2857

How to make some pages not directly accessible from browser?

ex: I have two file in my web app : 1] index.html 2] some.html (or jsp)

From browser only index.html is to be accessible,

So If I call localhost:8080/index.html, it should return the actual page, and on load If I direct (Redirect) to some.html then some.html page should show up,

If I directly call localhost:8080/some.html, it should throw out an error that the page cannot be directly accessible, is there a way I can achieve this if I host the webapp in tomcat server?

Upvotes: 0

Views: 1814

Answers (2)

Alan Hay
Alan Hay

Reputation: 23226

A common solution is to move them under the WEB-INF directory. From here they are not publicly accessible but you can have a Servlet or some other controller forward to them

https://docs.oracle.com/cd/E21764_01/web.1111/e13712/configurewebapp.htm#WBAPP158

The WEB-INF directory is not part of the public document tree of the application. No file contained in the WEB-INF directory can be served directly to a client by the container. However, the contents of the WEB-INF directory are visible to servlet code using the getResource and getResourceAsStream() method calls on the ServletContext or includes/forwards using the RequestDispatcher.

An alternative is to leave them outside of WEB-INF and configure a security constraint in your web.xml. For eaxmple, if you have them in {webapp-root}/pages:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>JSP Files</web-resource-name>
        <description>No direct access to JSP files</description>
        <url-pattern>/pages/*</url-pattern>
        <http-method>POST</http-method>
        <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description>No direct browser access to JSP files</description>
        <role-name>NobodyHasThisRole</role-name>
    </auth-constraint>
</security-constraint>

Upvotes: 3

Rishal
Rishal

Reputation: 1538

Use Filters and deny access to jsp's.

public class FilterMyJsp implements Filter{
    public void  doFilter(ServletRequest request, ServletReponse response,                
       FilterChain chain) {
      HttpServletRequest req= (HttpServletRequest) request;
      req.getRequestDispather("HandleError.jsp").forward(request,response);
}
}

Web.xml <filter> <filter-name>FilterMyJsp</filter-name> <filter-class>my.FilterMyJsp</filter-class> </filter> <filter-mapping> <filter-name>FilterMyJsp</filter-name> <url-pattern>*.jsp</url-pattern> </filter-mapping>

URL pattern * will apply this filter to each of the jsp's. You can design the HandleError.jsp with your respective error message which will be shown when user tries to access the other page.

Upvotes: 1

Related Questions