Lots of developpers in forums write that files under WEB-INF directory cannot be directly accessed. Anyone knows where is the reference to that rule, in J2EE (servlet more specifically, certainly) specifications? Do I have to declare a new rule, like access restriction, in my HTTP server? Thanks in advance
posted 15 years ago
Here's the response of my first question : servlet2.3 specs, chap9.4 clearly explains that WEB-INF directory must not be served. But, this remains : does that mean that we have to parameter our http server? Is this parameter possible with IPlanet?
I have never seen a server that allows anything in WEB-INF to be served directly. I doubt there is a switch in any server.
What I have seen is some servers that prevent a web app from forwarding a request though a RequestDispatcher to a resource inside of WEB-INF. I had preferred to keep JSPs in a directly in WEB-INF (WEB-INF/jsp). This prevents the user from directly hitting the JSP without going through the servlet (basic MVC) if they happen to know the JSP's URL. What I found was that some servers (Tomcat) where smart enough to allow this since the request came from my servlet while other servers (WebLogic 6.1) did not allow it, simply rejecting the URL based solely on the fact that it contained WEB-INF.
To summarize, do not put things in WEB-INF that you want served. If you must, write some type of logic that allows you to switch the base directory from WEB-INF/anything to something more standard.
Thank you for your responses. I have understood that I should not put things in WEB-INF that I want served. But this was not my proposal. My aim is to put only config files in WEB-INF, and to prevent clients from calling them. My environment is WAS with IPlanet. And I constat that, if I don't parameter anything special, config files can be served to clients!!! I was surprised since I though WAS was configured by default to prevent call to WEB-INF directory. I realized that not. And now my question is : is this normal? Do I have to add special parameter on IPlanet?
if you have no valid web application there is no special treatment of WEB-INF and it's just another directory under your webserver. If it is a valid web application there's either a configuration error in your application server (causing it to not recognise the application) or (far less likely) a bug in the server itself.
In a Java web application, files in WEB-INF can NEVER be called from code living outside the application Java/JSP code.
Of course any other application serving data which knows nothing of your directory being a web application can still access it using regular calls to the filesystem unless you set operating system level access restrictions on the files.
I'd amend that to be "Do not put things in WEB-INF that you want served directly".
All my JSP files go under WEB-INF. That way, they cannot be served without going through the appropriate controller servlet.
I agree with this totally. In the past I have used web servers that will not allow this either, not without you writing specific code. Tomcat allowed my servlets to forward to a URL in WEB-INF but WebLogic 6.1 did not. Hopefully that has changed (have not used WL since 6.1).
Bear's approach is my preferred approach, just make sure your container allows for it.
posted 15 years ago
Jeroen, My web application seems to be valid... I think that my server Iplanet is valid too, but is not J2EE! Actually, in my environmement, IPlanet serves the static part of my webapp, but IPlanet doesn't know anything about J2EE rules, such as WEB-INF. So I will learn it by adding a restriction for this folder. Thanks all
posted 15 years ago
iPlanet is still not J2EE compliant? They've had 6 years now...
They've also been around for a long time, and there are many old installations still around. 5 years ago they were among the best in performance and features, nice glossy administration console and slick sales representatives. Those things sell units to CEOs of large companies who can't judge the merits of a platform and are too much entrenched in their ivory towers to ask for a professional judgment from the people in the trenches.