• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

war-less jar-based deployment

 
Ranch Hand
Posts: 260
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
this time i have a kind of theoretical question. one of sw developers working for a pretty big company told me today, that they don't use war files for their application deployments. their sw architects believe, that war files are evil, since deployment of un-wared classes is not secure enough in terms of a damage that can be caused by their operations group employees, playing with servers. as far as i understood, their solution is to pack the application into jar and add it to the empty webapp style tree's WEB-INF/lib folder. they are also used to edit server.xml to add the app's context pass there to enable it on the path they use. i was really puzzled by this explanation, i never seen anything like this before. personally i believe that the whole "operations folks problem" sounds like a paranoia, but still, it's hard for me to decide what are the pros and cons of such solution. what do you think? bizarre or brilliant?

thanks.
 
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator


Bizarre or brilliant?



Appalling! Hope you're prepared to bail when these geniuses screw up royally and take something critical down. They evidently don't have a clue.

ALL webapps are WARs, per the J2EE standard. A WAR is nothing but a JAR with a specific structure. Some appservers also support "exploded" WARs, which are nothing more than WARs that have been UnZipped (since a WAR is a JAR and a JAR is a ZIP file with a META-INF in it).

There is no such thing as a "WEB-INF/lib" directory in ANY J2EE application server. WEB-INF and its lib and classes subdirectories are part of the structure that makes a JAR a WAR. Without WEB-INF, it's a JAR, not a WAR, and the server is at liberty to ignore the JAR, or even crash and burn (hopefully not, since that's not very robust handling).

So what this bunch of brilliant folks are really doing is slapping a bunch of files into an existing exploded WAR structure, and in my book, that's less secure than deploying an integral WAR unit, not more.

Qualification: I said "All webapps are WARs, but actually, full-stack J2EE also supports collections of WARs (and other webapp resources) bundled in an EAR. Some servers, such as WebSphere will deploy simple WARs by synthesizing the parts of an EAR that would have otherwise been present so that all of its deployed apps are actually EARs.
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic