security-constraint does not work

Question

I need to block the direct access to the jsp pages.

I've set my web.xml like this:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>My Hidden Pages</web-resource-name>
    <url-pattern>/*.jsp</url-pattern>
  </web-resource-collection>
  <auth-constraint></auth-constraint>
</security-constraint>

but all the pages are still accessible by typing their address in the browser address bar. How can I solve this?

FYI I'm using jetty-maven-plugin and servlet-api 2.5

thanks

score 0 · Accepted Answer · edited May 23 '17 at 11:49

You don't hide jsps that way.

There are a few common approaches (best choice first)

Precompile your JSPs during build time, and don't include the actual JSP files in your WAR file.
Put your JSP file in the WEB-INF folder somewhere. Access to the jsps are then done via a Controller servlet. This uses the security of WEB-INF to prevent direct access to the JSP files, something that all servlet containers must honor.

See past stackoverflow questions on this:
- Why put JSP in WEB-INF?
- How can I hide the JSP file in WEB-INF folder?
There are many more, just search for "jsp in web-inf" to discover more about this concept.
Properly configure Jetty's JSP implementation. Once done, this means all access to JSP files like must go through the that implementation's JspServlet.

See webdefault.xml for example of how this mapping is defined.

If you see an error or warning on startup about "No JSP Support for ", then you know you've not configured JSP properly, and that means all JSP files will instead be served in a static way.

Note: If you are using an older version of Jetty (anything older than version 7.6.16), or as using an older version of Java (anything older than 1.7_40), or are using Jetty on Windows (problem here is solved with Jetty 9.3.0 due out in the next month or so), then even this can be worked around.

Just updating the jetty-maven-plugin (now I'm using 9.2.3) the `security-constraint` tag start to work. Thanks. — helloIAmPau, Sep 26 '14 at 08:07

score 0 · Answer 2 · answered Sep 25 '14 at 15:29

Your <url-pattern> is incorrect. It should be <url-pattern>*.jsp</url-pattern> without the /. The allowed patterns according to spec are:

A URL pattern is a URI that is relative to the application context. Patterns can include:

Path mapping, starting with / and ending with /* This pattern identifies any resource that starts with a given path, for example, /catalog/* or /catalog/products/*

Extension mapping, starting with *. This pattern identifies any resource with the given extension, for example, *.jsp or *.gif

Default servlet mapping, containing only / This pattern identifies the default servlet of the application.

Exact matches This pattern uses a string that represents a specific resource, for example, /snoop is a servlet mapping and /list/banner.jsp is a file mapping.

If you want to secure pages in given folder you need to use pattern like /folder/* , if you want to protect all pages use just *.jsp, if you want to protect all pages except index.jsp, you will need to add another constraint which allows explicitly access to the /index.jsp file.

I need to hide all the jsps in the root of the application (this is the reason of my url mapping). BTW using the `*.jsp` pattern the pages are still accessible. — helloIAmPau, Sep 26 '14 at 05:45
@helloIAmPau Then it must be a problem in Jetty as *.jsp works in other containers. — Gas, Sep 26 '14 at 08:39

security-constraint does not work

2 Answers2