1

i am using google app engine to develop java web app, my problem that all my jsp file can be reached under http://localhost:8888/namefile.jsp,, i put all my jsp file in the war folder

where should i put the jsp files to avoid this? or just should i modify the web.xml modifying the url mapping ?

here is my web.xml file

<servlet>
 <servlet-name>frontController</servlet-name>
 <servlet-class>com.myapp.frontcontroller.FrontController</servlet-class>
</servlet>

<servlet-mapping>
    <servlet-name>frontController</servlet-name>
    <url-pattern>/myapp/*</url-pattern>
</servlet-mapping>


<welcome-file-list>
    <welcome-file>home.jsp</welcome-file>
</welcome-file-list>

thanks in advance.

user31431
  • 23
  • 1
  • 5
  • what is the problem with this? did you get any trouble in it? – Wanna Coffee Jan 04 '14 at 13:11
  • not but for example if in my jsp i read parameters from the HttpRequest, so anyone can pass parameters to my page http://localhost:8888/namefile.jsp?param = bala, i think that is not a big problem since i do all the controls .. but i really don't like this. – user31431 Jan 04 '14 at 13:19
  • If you are using "post" method instead of "get", you wont get any trouble. – Wanna Coffee Jan 04 '14 at 13:21
  • Similar problem to: http://stackoverflow.com/questions/19843715/how-can-i-hide-the-jsp-file-in-web-inf-folder – t0mppa Jan 04 '14 at 13:23

2 Answers2

1

You have a few options and could use any of them depending on your requirements:

  • You can place the files inside of WEB-INF folder. The folders/files present in there will not be available by default. You will need to redirect and/or forward requests accordingly to the write files.

  • It is not just about JSP files but also servlets which could get directly accessed. Ideally you want to protect URL patterns and make sure that only authorized users i.e. users with a certain role can access the servlets/folders that come under that. Towards that GAE uses the standard security-constraint in web.xml file. Read up at https://developers.google.com/appengine/docs/java/config/webxml#Security_and_Authentication

  • Finally, you could also look at a Servlet filter to meet your requirements. You could have a global filter that checks if a user is logged in and only then can move ahead with accessing the web resource. A filter could also help you perform logging to check who is accessing your application and other cross cutting concerns, etc.

Romin
  • 8,708
  • 2
  • 24
  • 28
0

Public Jsp files should be in the root directory of the project and private jsp files should be in WEB-INF folder as things under WEB-INF are not accessible publicly.

Prashant_M
  • 2,868
  • 1
  • 31
  • 24