[Logo]
Forums Register Login
Need for servlet mapping in web.xml
Hi,
As i understand Servlet mapping is done to hide the directory level information and to get some level of security. I mean to say we are avoiding the directory structure in the URL which in turn provide the security.
So... if somebody get to know the structure, he would access the files illegally. isn,t it ? But what if he gets the web.xml files itself??

i think i am confusing you guys because i am also....
 
But what if he gets the web.xml files itself??


By what means he will get access to web.xml?
Web.xml present at its intended location cannot be accessed directly through a web url.

If security is your concern n you can use other mechanisms like filters for that.
 
sony agrwal wrote:
So... if somebody get to know the structure, he would access the files illegally. isn,t it ?

As far i know,No.not possible.
sony agrwal wrote:
But what if he gets the web.xml files itself??


how?
 
sony agrwal wrote:Hi,
But what if he gets the web.xml files itself??


nobody could if web.xml is in WEB-INF try keeping things in WEB-INF if you don't wan't an unauthorized one try to access ...
Hi,

web.xml is present in WEB-INF folder, and we can access anything from WEB-INF by calling browser.
that is secret folder. that is why user never get web.xml at any cost.
resources from WEB-INF we can access in same web application e.g. properties files.

HTH.
 
Shailesh Narkhede wrote:Hi,

web.xml is present in WEB-INF folder, and we can not access anything from WEB-INF by calling browser.



Note the correction - I think it's what Shailesh was really trying to say.

I'm going to repeat one of my "favorite" sayings here, since it's important:

A web server is not a file server!

URLs look similar to filename paths. They are not. URLs are Uniform Resource Locators.

URLs are passed to the web server, which decodes them and (usually) passes them on to the web applications, which then also decode them and determine what resource is being requested and how to return it to the client. In many cases, parts of the URL will be used to construct a server-local filename path and copy the contents of a file at that location, but this is just one option.

When a J2EE appserver encounters incoming URLs, one of the things it does is look at a table of URL mappings that was built for the destination webapp. If the incoming URL matches one of those URLs, the appserver then looks at the mapping target data. If the mapping target data corresponds to the symbolic name that was given to a servlet, then the URL is passed to that servlet. That's a little simplified, since even before the URL routing mapping is checked, a security mapping would be checked first, if one existed, but that's the general idea.

J2EE was designed to produce robust, scalable, and maintainable applications. Part of that design involves extra indirections such as the servlet mapping. Although it makes overall design a little more complex, it makes the application as a whole less expensive to maintain and makes it easier to use generic "plug-in" components.

Sorry to be to visually offensive on this post, but I hope it drew attention to the important things.
Hi sony

web.xml must be placed in WEB-INF folder. If the container receives a request for any file under WEB-INF it should return 404 - Not Found. At least if I remember correct.

If you have partial files, eg. .jsp headers or footers they can be placed under eg WEB-INF/templates. This way you avoid any user accessing them directly. The same applies to your servlet .class files. Put them under WEB-INF to avoid direct access.

Cheers
Reidar
 
Reidar Gjerstad wrote:If you have partial files, eg. .jsp headers or footers they can be placed under eg WEB-INF/templates.

Any JSP can (and should) be placed under WEB-INF to avoid direct access.

The same applies to your servlet .class files.

Class files must be in a package hierarchy under WEB-INF/classes or in a jar file under WEB-INF/lib.
 
Bear Bibeault wrote:
Reidar Gjerstad wrote:If you have partial files, eg. .jsp headers or footers they can be placed under eg WEB-INF/templates.

Any JSP can (and should) be placed under WEB-INF to avoid direct access.

The same applies to your servlet .class files.

Class files must be in a package hierarchy under WEB-INF/classes or in a jar file under WEB-INF/lib.


Hi Bear

I guess you mean to say that "Any JSP that is not meant to be accessed directly should be under WEB-INF. JSPs that are meant to be accessed directly must not be in WEB-INF."

Sometimes you have something like "mainpage.jsp", meant to be accessed directly without going through a servlet. Such JSPs must be outside WEB-INF.

Cheers
Wink, wink, nudge, nudge, say no more ... https://richsoil.com/cards


This thread has been viewed 2631 times.

All times above are in ranch (not your local) time.
The current ranch time is
Dec 18, 2017 02:21:05.