This post originated from an RSS feed registered with Java Buzz by Simon Brown. Original Post: Securing Pebble #1 : Disable JSP compilation Feed Title: Simon Brown's weblog Feed URL: http://www.simongbrown.com/blog/feed.xml?flavor=rss20&category=java Feed Description: My thoughts on Java, software development and technology. Latest Java Buzz Posts Latest Java Buzz Posts by Simon Brown Latest Posts From Simon Brown's weblog

The first and easiest way to secure Pebble, or any JSP-based webapp for that matter, is to simply disable JSP compilation. Some app servers have a switch to turn this off and with others you'll have to start up the server with a JRE instead of a JDK. Simple but effective, although you'll have to precompile your JSPs first with the tool/script provided by your server vendor. Tomcat provides a jspc Ant task that works fairly well.

The only downside with disabling JSP compilation is that Pebble users won't be able to edit their themes. Well, they can edit them, but the resulting JSPs won't get recompiled at runtime. This is where templating languages such as Velocity and the JSP 2.0 expression language are really useful.