You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by "Peter S. Heijnen" <to...@asobrain.com> on 2001/06/01 07:20:16 UTC
Re: 3.2.2 - handling requests for WEB-INF/*
But, since the WEB-INF directory may be used internally, it is actually a
nice place to stick some 'hidden' files.
Isn't there any way to distinguish internal requests from direct client
requests? If not, the WEB-INF directory should be filtered at a lower level
before the request is send to the CM.
> Read the specification, section 9.4:
>
> A special directory exists within the application hierarchy named
"WEB-INF".
> This directory
> contains all things related to the application that aren't in the document
> root of the application. It is
> important to note that the WEB-INF node is not part of the public document
> tree of the application.
> No file contained in the WEB-INF directory may be served directly to a
> client.
Re: 3.2.2 - handling requests for WEB-INF/*
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Fri, 1 Jun 2001, Peter S. Heijnen wrote:
> But, since the WEB-INF directory may be used internally, it is actually a
> nice place to stick some 'hidden' files.
>
> Isn't there any way to distinguish internal requests from direct client
> requests? If not, the WEB-INF directory should be filtered at a lower level
> before the request is send to the CM.
>
> > Read the specification, section 9.4:
> >
> > A special directory exists within the application hierarchy named
> "WEB-INF".
> > This directory
> > contains all things related to the application that aren't in the document
> > root of the application. It is
> > important to note that the WEB-INF node is not part of the public document
> > tree of the application.
> > No file contained in the WEB-INF directory may be served directly to a
> > client.
>
>
>
>
Correct behavior (also clarified more clearly in the 2.3 spec) includes
the following:
* Client requests for URIs like /WEB-INF/xxx (or /META-INF/xxx) are
prohibited.
* Servlets can access application resources within these directories:
URL url = getServletContext().getResource("/WEB-INF/web.xml");
InputStream stream =
getServletContext().getResourceAsStream("/WEB-INF/web.xml");
* Servlets can use a request dispatcher to forward/include a URI that
is within WEB-INF (this is one way to keep people from directly
accessing your JSP pages in an MVC-organized web app):
RequestDispatcher rd =
getServletContext().getRequestDispatcher("/WEB-INF/mypage.jsp");
rd.forward(request, response);
* Servlets can use Class.getResource()/getResourceAsStream() and
ClassLoader.getResource()/getResourceAsStream() to include unpacked
resources in /WEB-INF/classes, or resources packaged in JAR files
in /WEB-INF/lib.
* (2.3 requirement only) Classes and resources in /WEB-INF/classes
override classes and resources with the same name under
/WEB-INF/lib.
Craig McClanahan