how my web application will access jsp files if i put security constraint in web.xml

Question

<security-constraint>
    <web-resource-collection>
        <web-resource-name>JSP Files</web-resource-name>
        <description>No direct access to JSP files</description>
        <url-pattern>/pages/*</url-pattern>
        <http-method>POST</http-method>
        <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description>No direct browser access to JSP files</description>
        <role-name>NobodyHasThisRole</role-name>
    </auth-constraint>
</security-constraint>

this i put in my web.xml to avoid direct access to the jsp page .But after putting my application is not able access jsp page which is displayed in the iframe.

<iframe src="pages/home.jsp"  id="contentframe" name="contentframe"  scrolling="no"></iframe> 

the result is displayed in iframe is " access to the resource is denied" while i want my index.jsp to access the jsp pages in the pages folder but no direct access to all jsp pages

Answer 1

security-constraint define http security, an iframe act as a normal http request, is not related to any internal operation, so if you define security for pages the iframe call work as you open the url directly.

To hide jsp from direct access you must put them under WEB-INF folder, then use some servlet mapping to access jsp resources.

Answer 2

Normally, to hide jps files from users, you would put them in your WEB-INF folder, then use some servlet to make them the "accessible" view. SpringMVC a DispatcherServlet, which allows you to use a ViewResolver.

However, to answer your question more specifically, if you want to open resources in an iframe, you will need to define the correct header (depending on what you want). One such way to define a header in SpringMVC is an XSSFilter.