RE: Does the servlet security model work with the J2EE Blueprint MVC?

["Craig R. McClanahan" <cr...@apache.org>]

On Wed, 15 Aug 2001, Lin, Zhongwu wrote:

> I have a question about the last paragraph of you answer.
> 
> 	[Lin, Zhongwu]  
> 	can you explain in more detail on the last paragraph:
> 	put those JSP pages inside the /WEB-INF
> 	directory.  This works because the container will refuse to serve
> anything
> 	under /WEB-INF directly to the user, but RequestDispatcher.forward()
> can
> 	still be used to display them.
> 	[Lin, Zhongwu]  How do I reference those JSP pages inmy app?
> 	should I do like:
> 	/WEB_INF/mypage.jsp   
> 
> > > -Jerome
> > 
> > Craig McClanahan
> > 
> 

Let's start with a simple experiment.  Start up Tomcat and request the
following URL:

  http://localhost:8080/examples/WEB-INF/web.xml

What happens?  You get a 404 error, even though the web.xml file is really
there.  This is based on a Servlet Specification restriction that
*nothing* inside the "/WEB-INF" directory may be served directly to a
client in response to a request.

However, it is legal to access these contents from within a servlet or JSP
page, or access them through a request dispatcher.  For example, I could
read the contents of web.xml myself like this:

  InputStream is =
   getServletContext().getResourceAsStream("/WEB-INF/web.xml");

or, if I have a JSP page "foo.jsp" in the /WEB-INF directory, I can do
this:

  RequestDispatcher rd =
   getServletContext().getRequestDispatcher("/WEB-INF/foo.jsp");
  rd.forward(request, response);

or (from a JSP page):

  <jsp:forward page="/WEB-INF/foo.jsp">

This works because the access is from *inside* the web app, whereas the
following request (from a client) will generate a 404:

  http://localhost:8080/examples/WEB-INF/foo.jsp

In summary, if you are using an MVC style application architecture like
that proposed in J2EE Blueprints (or in Struts), you can easily make it
impossible for your users to navigate directly to a page without going
through the controller first.

Craig