Win a copy of Kotlin in Action this week in the Kotlin forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

WEB-INF implicit protection?  RSS feed

 
Cory Wilkerson
Ranch Hand
Posts: 84
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
All, I have some XSL that I'm using via Xalan to render some style in my JSP tier. That said, I don't want these XSL files just floating around ready for public viewing. Right now I'm accessing these files via ServletContext and all seems well. My question is this -- is WEB-INF implicitly secure -- do app servers have to protect this directory from public access?
Also, is this considered good or bad form? Should I put my resources somewhere else and perhaps protect it via declarative security?
[ May 20, 2003: Message edited by: Cory Wilkerson ]
 
Gary McGath
Ranch Hand
Posts: 52
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, the server should protect the WEB-INF directory from outside access. Don't consider placing a file in there to be high-level security, though; a misconfigured server could conceivably allow web or anonymous FTP access to WEB-INF. If the consequences of exposing the file are just annoying rather than disastrous, you should be OK doing it that way.
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I believe it's a part of the spec that a server is not allowed to serve resources from this directory, but there is sometimes a difference in how it is implemented in some servers.
For example, in the Tomcat source that I checked it it absolutely refuses to pass on anything from the web-inf directory.
I've heard that in other servers (although I've never been able to get it to work myself) you can place JSPs in the web-inf directory and it is possible to forward and include them via another servlet or JSP, but the user is prevented from accessing them directly.
Not a feature that I intend on using though, and I don't recommend anyone build a production system using it either. The vendor could change the behaviour without warning and you'll be stuffed.
Dave
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!