I got a jsp page in the following dir structure... WEB-INF/templates/jsp/navigations/test.jsp How do I make a link to a jsp(test2.jsp) in that same dir. ie. <a href="test2.jsp">Link</a> does not link me to the right place.
Two Questions first: (1) are you using tomcat? (2) why are your jsp files under the WEB-INF folder? <splurb> As far as I would figure, this isn't the right place for them - I may stand to be corrected. Rather put them in the folder for your web app in the webapps folder and then you should be able to link to them how you mentioned. </splurb>
WEB-INF is about as wrong a place as you can get - it's supposed to be inaccessible for presentation. WEB-INF is where the class files, libraries, config files, resources, and other "invisible" support stuff goes. JSP's should go in the project root (at the SAME level as WEB-INF, not INSIDE it). Or in user-defined subdirectories of the root, if there's a need to divide them up.
An IDE is no substitute for an Intelligent Developer.
Joined: Sep 10, 2001
I wanted to make my jsp pages secure. How can I go about doing that?
Very old but useful post. I tried to keep my javadoc API in a project preparing a directory structure as /WEB-IBF/api and found my tomcat can't access them through a simple URL. But it works fine out of WEB-INF directory. I tested it a few days ago using Tomcat 4.1.24. I would like to know if there is any specification for the servlet/JSP containers that it won'y allow HTML or JSP files to access and process from within WEB-INF directory?
Ashik Uzzaman Senior Software Engineer, TubeMogul, Emeryville, CA, USA.
I can't quote anything concrete, but my understanding is that this is a bit of a grey area. Web containers are not allowed to serve requests from the web-inf directory, but it is the interpretation of this meaning that is apparently different between servers. When I took the time to search the Tomcat code (I'm not sure of the version), I found it blocks all access to the web-inf directory in the container. I've heard rumours that some servers allow include and forward calls to be made to resources in the web-inf directory, but I've never been able to verify this behaviour. My preference for protecting JSPs is to place them in a separate directory (eg /jsps) and prevent them being served directly using the web server.
A final comment when storing your JSPs underneath WEB-INF: not all containers support this feature. Earlier versions of WebLogic did not interpret the Servlet specification the same as others, and it was not possible to do this. This is reported to be changed with newer versions of WebLogic. Just be sure to check your specific container.
I've been bitten too many times by non-specific behaviour like this ever use it in production. Not only is it vendor specific, but it is the sort of thing that varies between versions too, and will not be part of the documentation. You won't know if it works in the next product till you try it - not very stable for production code! I'll still push the web server as the place to put this rule. Dave ( Do you want me continue the sequence )