You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Kevin Duffey <kd...@buymedia.com> on 2000/06/14 19:13:53 UTC
Struts and Orion App Server
Hi,
Just wanted to inform anyone using Orion what seems to be happening. After
talking with Craig and the Orion team and users, a few things have been
noted.
First, there is a bug in JDK1.3 with getResource() calls, which Struts uses
to load locale information. So, if you use JDK 1.3 to run Orion (and I would
assume the same problem exists for Tomcat and other engines), you will
consistently be getting a "can't load resource" error in the browser. At
least that is what happens to me.
Second, Struts defaults to /WEB-INF/action.xml to load the action.xml config
file. Apparently, this is not allowed per Servlet 2.2 spec..an app can not
access the WEB-INF dir, only the server can. I don't know how valid this is,
but as soon as I moved action.xml to my /www folder, and in my
WEB-INF/web.xml file set the init attribute of config to use /action.xml
(instead of /WEB-INF/action.xml) everything worked.
On that note..Craig, it is now working. As long as I use JDK 1.2.2, and put
action.xml in /www, it seems to work. I sent a form to an action, and it is
indeed getting the request.
Now, I assume we wait for a JDK1.3.1 patch or something and hope they fix
this problem. As for the /WEB-INF access, I am not sure why this happens.
Craig, maybe you can look into this and see why Tomcat allows this but Orion
doesn't. Without starting a war between the two products, supposedly Tomcat
is not in full compliance if it allows WEB-INF access from a deployed
application..this has been not allowed because of security issues. I'd love
to hear about this.
Thanks.
Re: Struts and Orion App Server
Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.
Kevin Duffey wrote:
>
> Second, Struts defaults to /WEB-INF/action.xml to load the action.xml config
> file. Apparently, this is not allowed per Servlet 2.2 spec..an app can not
> access the WEB-INF dir, only the server can. I don't know how valid this is,
> but as soon as I moved action.xml to my /www folder, and in my
> WEB-INF/web.xml file set the init attribute of config to use /action.xml
> (instead of /WEB-INF/action.xml) everything worked.
>
It is perfectly acceptable for a servlet or JSP page to use the
ServletContext.getResource() call to access things in the WEB-INF subdirectory.
If your servlet container does not let you do this, it's a bug in the
container. (The reason this directory was defined as it is in the servlet spec
was for precisely this purpose -- to hold configuration files and other things
in a well-defined place.)
What is prohibited is serving the contents of any file under WEB-INF in response
to a client request like this:
http://www.mycompany.com/WEB-INF/action.xml
because you don't want clients to be able to snoop your configuration files.
After all, there is often sensitive information like database passwords stored
in these files.
Craig