You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by "Peter S. Heijnen" <to...@asobrain.com> on 2001/06/01 07:20:16 UTC

Re: 3.2.2 - handling requests for WEB-INF/*

But, since the WEB-INF directory may be used internally, it is actually a
nice place to stick some 'hidden' files.

Isn't there any way to distinguish internal requests from direct client
requests? If not, the WEB-INF directory should be filtered at a lower level
before the request is send to the CM.

> Read the specification, section 9.4:
>
> A special directory exists within the application hierarchy named
"WEB-INF".
> This directory
> contains all things related to the application that aren't in the document
> root of the application. It is
> important to note that the WEB-INF node is not part of the public document
> tree of the application.
> No file contained in the WEB-INF directory may be served directly to a
> client.

Re: 3.2.2 - handling requests for WEB-INF/*

Posted by "Craig R. McClanahan" <cr...@apache.org>.

On Fri, 1 Jun 2001, Peter S. Heijnen wrote:

> But, since the WEB-INF directory may be used internally, it is actually a
> nice place to stick some 'hidden' files.
> 
> Isn't there any way to distinguish internal requests from direct client
> requests? If not, the WEB-INF directory should be filtered at a lower level
> before the request is send to the CM.
> 
> > Read the specification, section 9.4:
> >
> > A special directory exists within the application hierarchy named
> "WEB-INF".
> > This directory
> > contains all things related to the application that aren't in the document
> > root of the application. It is
> > important to note that the WEB-INF node is not part of the public document
> > tree of the application.
> > No file contained in the WEB-INF directory may be served directly to a
> > client.
> 
> 
> 
> 

Correct behavior (also clarified more clearly in the 2.3 spec) includes
the following:

* Client requests for URIs like /WEB-INF/xxx (or /META-INF/xxx) are
  prohibited.

* Servlets can access application resources within these directories:

    URL url = getServletContext().getResource("/WEB-INF/web.xml");
    InputStream stream =
     getServletContext().getResourceAsStream("/WEB-INF/web.xml");

* Servlets can use a request dispatcher to forward/include a URI that
  is within WEB-INF (this is one way to keep people from directly
  accessing your JSP pages in an MVC-organized web app):

    RequestDispatcher rd =
     getServletContext().getRequestDispatcher("/WEB-INF/mypage.jsp");
    rd.forward(request, response);

* Servlets can use Class.getResource()/getResourceAsStream() and
  ClassLoader.getResource()/getResourceAsStream() to include unpacked
  resources in /WEB-INF/classes, or resources packaged in JAR files
  in /WEB-INF/lib.

* (2.3 requirement only) Classes and resources in /WEB-INF/classes
  override classes and resources with the same name under
  /WEB-INF/lib.

Craig McClanahan