tags:

views:

246

answers:

1
Q: 

Hiding a view servlet in a Java MVC web application?

I'm using a very simple MVC framework, Bear Bibeault's Front Man, which, for those not familiar, is pretty similar to Spring MVC (in concept at least).

For most cases, I am using a JSP as my view. To prevent direct access to the view, I place the JSP files inside the WEB-INF directory.

However, in some cases I need to use a servlet to represent my view. For instance I have a view servlet that generates PDF, which you shouldn't do in JSP. The problem I'm having is these views are directly accessible by typing the name of the view in the URL. Granted the view throws an exception because it doesn't have a proper model in the request (since it is not hitting the model building page controller), but I would like the view servlet to be hidden from the user, much like my JSP views are.

How do I prevent direct accessing of the view servlet?

Related Question:

Protecting internal view layer template pages in servlet applications

+3  A: 

First step is to use a proper security model to prevent access to your files. Rather than using the side-effect of the WEB-INF directory being inaccessible as a URL (Which, BTW, is not guaranteed to work for all web servers) you should use the & elements in your web.xml file to define which directories can or can't be accessed via a direct URL.

Once you've done this, you should be able to map your PDF view to a URL, protect that URL, via your web.xml file, then forward to the view form your MVC controller/action (Much like you forward to your JSPs)

See the Sun site for more info on the security constraint.

belugabob  2009-08-14 14:57:33
Why do so many MVC frameworks use the WEB-INF directory to hide views there is a better way to do it?
James McMahon  2009-08-14 15:07:40
It's not the framework, per se, just habits that people get into (Including the developers of the frameworks, who unintentionally give the impression that this is the way to do it).The correct way to do it, according to Sun, anyway is via the security contraints - spend a short while reading the article I linked to, Google a bit, and you should have it sorted fairly quickly.
belugabob  2009-08-14 15:16:53
I tested this and it seems to work great. Thank you.
James McMahon  2009-08-14 15:32:16
Correction, works great under Tomcat, but our production server is Jrun, which is J2EE 1.3, and it doesn't like the web.xml with a security-constraint attribute. Oh well, good suggestion for people not on obsolete crappy servers.
James McMahon  2009-08-14 18:32:37
Sorry to hear that, nemo. Which version of JRun are you using? What are the symptoms of JRun 'not liking' web.xml? Have a look at this article - http://www.adobe.com/devnet/server_archive/articles/jrun_authentication.html - which suggests that JRun 3.0 support security constraints.
belugabob  2009-08-17 07:12:44

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java