Advanced Edition of IBM WebSphere Application Server

InfoCenter Home >
5: Securing applications >
5.3: Security task overview >
5.3.3: Protecting individual JSP files <- you are here

5.3.3: Protecting individual JSP files

Note to Reviewers: I think this file should be moved in with the rest of the admin material. -- Kate

This file describes the steps necessary for selectively protecting JSP files, that is, how to protect individual JSP files based on their Web paths (URIs) when you do not want to apply the same protection to all the JSP files in the system.

Note, the instructions for adding a JSP Web path to a web application advise you to use the "Add a JSP or a web resource" task wizard in the administrative console. This action adds the JSP Web path, not the actual JSP file, to the Web application. But when you follow the configuration steps to protect a JSP Web path, the Web path is treated separately from the Web application; instead, it is treated as a Web server resource. Therefore, security does not work as intended.

The following procedure will be needed until product defect number 88065 is addressed. Check the "fixed defects" list accompanying IBM WebSphere Application Server fix packs to ascertain whether a given fix pack has addressed the defect.

To protect individual JSP files using WebSphere security, follow these steps:

  1. If you used the "Add a JSP or web resource task" to introduce a new JSP Web path and associate with Web applications, remove all of the Web paths.
  2. Start the WebSphere administrative console.
  3. Select the Topology view.
  4. Expand the Topology tree to show the node, application server, and servlet engine containing the Web application to which you want to add the JSP.
  5. Select the JSP processor servlet in that Web application.
  6. In the list of Web paths, locate:
    /default_host/<webapp-path>/*.jsp
    where default_host is the default virtual host or one that you have created, and <webapp-path> is the path to the Web application.
  7. Click "Add" to add to the Web path list.
  8. Enter the JSP Web path (URI) that you want to protect, such as:
    /default_host/<webapp-path>/toBeProtected.jsp.
    If you have multiple files to protect, enter the URI for each one.
  9. Apply your changes.
  10. Follow the resource security configuration steps to protect these newly added JSP files.
  11. Restart the application server hosting the Web application and JSP files.

Go to previous article: Unprotecting resources Go to next article: Specifying authentication options in sas.client.props

 

Go to previous article: Unprotecting resources Go to next article: Specifying authentication options in sas.client.props