[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
[Home]
Re: Question regarding security of delivered jsp's.
I'm using JSPs >because< I want customers to be able to change the
look & feel of their site. I would not put private data or logic in
a JSP; use a servlet for this. The servlet will do the proprietary
stuff, store results in a session, then redirect to a JSP. The JSP
will access the data in the servlet. The customer can change the JSP
to their heart's content. Your private stuff stays private.
Or, you could just use the class files generated by the jsp servlet.
Of course, references to "http://servlet/mine.jsp"; would have to be
changed to "http://servlet/mine";. I have a small java program that
takes a jsp and generates the corresponding class file, if you'd like
a copy. It's very simple to write your own.
I'll post the code to:
http://www.gims.net/users/ktm/gnuJSP.java
It might not get posted until tonight, though.
Kit
On Wed, 10 Feb 1999, Joe Hoffman wrote:
> How can I deliver runnable JSP's to my customers without extending them
> the ability to edit/change the JSP content?
>
> One suggested idea is to have a switch (I"m not sure where) that
> indicates that only generated .class files should be used, and thus not
> look for .jsp files. Therefore I would only have to deliver the
> contents of the generated directory (apache). Maybe there is a way
> to extend this idea somehow and just deliver a jar file that contains
> all my generated class files.
>
> Has anyone thought of this issue and are there any good/proposed
> solutions?
>
> regards
>
> joe hoffman
> Harland Corp.
> Denver, CO
>