0

Using struts 2 framework. I'm facing a problem that user can access javascript file directly with URL

www.testAccess.com/scripts/somescript.js

I am config web.xml with this code. but not working

<security-constraint>
    <web-resource-collection>
    <web-resource-name>Deny Direct Access</web-resource-name>
    <description></description>
    <url-pattern>*.jsp</url-pattern>
    <url-pattern>*.js</url-pattern>   <<< here
    </web-resource-collection>
    <auth-constraint>
    <role-name>Denied</role-name>
    </auth-constraint>
    </security-constraint>
    <security-role>
    <role-name>Denied</role-name>
</security-role>

Thanks for your help.

Aleksandr M
  • 24,264
  • 12
  • 69
  • 143
podebwm
  • 5
  • 2
  • I know it. But we can't catch the request and check if URL contain ".js" do not response it ? – podebwm Jun 27 '17 at 13:55
  • How do you think the browser retrieves the javascript for the website to work correctly if you block it?! – Mark Rotteveel Jun 27 '17 at 18:17
  • The website not work correctly if i block it. But I mean if mypage.jsp request the somescript.js then bypass it but if user request directly with url can i block this? or it impossible. @MarkRotteveel – podebwm Jun 28 '17 at 11:47
  • You fail to understand that your JSP doesn't use the javascript, it is the browser of the user that uses it (the JSP just generates HTML that is sent to the browser), so you cannot block it. – Mark Rotteveel Jun 28 '17 at 12:09

1 Answers1

0

Are those role setup properly?

If you think your js hold some important information, move it to server side. There are tools that you can use to Obfuscate your js. Obfuscation makes your js hard to understand.

want2learn
  • 2,471
  • 2
  • 20
  • 37
  • My scripts don't have any important information. It's a reason of my work to prevent them. Thanks! for your help i think Obfuscate is the best way for now. – podebwm Jun 27 '17 at 14:13