Turning off JSP access

To turn off JSP access in your JBoss or other favorite application server add this to your web.xml.

<!-- Restrict direct access to jsps -->
<security-constraint>
  <web-resource-collection>
    <web-resource-name>you_cant_touch_this</web-resource-name>
    <url-pattern>*.jsp</url-pattern>
  </web-resource-collection>
  <auth-constraint/>
</security-constraint>

To prevent Apache from sending JSP requests to JBoss add the following to your configuration.

## DISALLOW FROM REACHING JBOSS (security-related filter):
!/*.jsp=name_of_your_app
!/*.xml=name_of_your_app

Leave a Reply

Your email address will not be published. Required fields are marked *