0 Replies Latest reply on May 2, 2007 10:25 AM by Erron Austin

    Prevent Scriptlets

    Erron Austin Newbie

      A little background:

      I have Front-Controller Servlet that fowards all requests to jsp's located outside the application war. So, for example, http://localhost/myapp/test.jsp is actually a jsp located at (on windows) c:/content/client1/pages/test.jsp. I accomplish by doing the following:

      ServletConfig currentConfig = getServletConfig();
      ServletContext otherContext = currentConfig.getServletContext().getContext("/otherapp");
      RequestDispatcher dispatch = otherContext.getRequestDispatcher(page);
      dispatch.forward(request, response);
      


      The issue is that I have the following in my web.xml:
      ...
      <servlet>
      <servlet-name>FrontServletController</servlet-name>
      <servlet-class>com.diginsite.product.webcenter.website.FileController</servlet-class>
      </servlet>
      <servlet-mapping>
      <servlet-name>FrontServletController</servlet-name>
      <url-pattern>*.jsp</url-pattern>
      </servlet-mapping>
      <jsp-config>
       <jsp-property-group>
       <url-pattern>*.jsp</url-pattern>
       <scripting-invalid>true</scripting-invalid>
       </jsp-property-group>
       </jsp-config>
      ...
      


      However, the c:/content/client1/pages/test.jsp file does contain a scriptlet and it is working fine.

      I've attempted changing the url pattern of the jsp-property-group directly to /*/*/*/test.jsp with no luck as well as changing the url-pattern of the servlet to *.myext.

      -------------------------------------------------------------------------------------

      Since the "otherapp" doesn't contain a web.xml I decided to try and modify the $JBOSS_HOME/server/myapp/deploy/jbossweb-tomcat55.sar/conf/web.xml to include:
      <jsp-config>
      <jsp-property-group>
      <url-pattern>*.jsp</url-pattern>
      <scripting-invalid>true</scripting-invalid>
      </jsp-property-group>
      </jsp-config>

      This doesn't work either. Any other ideas of how I can prevent any jsp from containing scriptlets.