WEB-INF doubt?

Guys,

Anything placed under web-inf directory will not be accessible. But however, we can try to tweak this out by configuring it in the DD. Then what is the advantage of this?? I can make my contents accessible through some settings in the DD. Anyone to comment on this?

Any help guys for my post above??

I can make my contents accessible through some settings in the DD.

Really? How?

Originally posted by Jothi Shankar Kumar Sankararaj:
Any help guys for my post above??

I'm still learning but afaik, anything under WEB-INF should not be exposed to outsider. "tweak" sounds scary thing

Actually this is how I tried,

My web.xml file,

<servlet>
<servlet-name>Concealedjsp</servlet-name>
<jsp-file>/WEB-INF/concealed.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>myServlet</servlet-name>
<servlet-class>myServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Concealedjsp </servlet-name>
<url-pattern>/jjj</url-pattern>
</servlet-mapping>

I have a file called concealed.jsp under web-inf directory. And below is what I do in my index.jsp,

<form action = "/WEB-INF/concealed.jsp">
<input type="Submit" value="Submit">
</form>

When I click the submit button, I'm able to see the contents in the concealed.jsp file. So anyone to comment on this??

Hi Jyoti,

in action you have mentioned "/WEB-INF/concealed.jsp"
in this scenario web-inf treated as normal folder
so you can directly use contextname/WEB-INF/concealed.jsp ...
there is nothing special in this
even it is not necessary to configure jsp-file, in web.xml

That's fine but I'm still not understanding how and why I can get the contents in the web-inf folder??

so please don't put accessibles like *.js,*.html,*.jsps in side web-inf folder

Hi Joti - the benefit of putting stuff under WEB-INF is that it cannot be directly served. That is, you can't go to your browser and get the server to list the contents of WEB-INF.

ie

http://myserver/myapp/WEB-INF/foo.jsp

will NOT work. There may be stuff in your JSPs etc that reveals something of the structure of your app that might be used to help compromise security for instance.

You can however reference stuff within your html and JSPs as you discovered.

Does that help?

Actually Akbar, I disagree with your statement about putting JSPs under WEB-INF. Personally, I don't want a user to be able to read the text of my JSP files, and I tend to put the majority of them under WEB-INF for just that reason.
[ February 20, 2007: Message edited by: Daniel Dalton ]

Daniel your correct..........

Daniel, you are just right and thanks for supporting.