File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
Win a copy of Clojure in Action this week in the Clojure forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

how to access jsp under WEB-INF folder

 
Amit Sharma
Ranch Hand
Posts: 87
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
i have some jsps under WEB-INF folder and as i know that they cant be access directly. so how can i access those jsps.
 
Rao Raghu
Ranch Hand
Posts: 100
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You cannot access jsp under WEB-INF. It is not a standard J2EE Spec. The container only looks for class-files in WEB-INF and if you ask for jsp in this directory, it will return an error 404.

 
Amit Sharma
Ranch Hand
Posts: 87
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Raghu sir but i dont eant to access my jsps directky how can be that possible like first they have to fill some password only \then next page will be available to them. but if they know name of next page they will directly access them.
 
Rao Raghu
Ranch Hand
Posts: 100
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You mean sessions? make your queries clear.
 
vijay kumarg
Ranch Hand
Posts: 105
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Amit,
The resources which need to be protected from Http access are placed under WEB-INF.Normally jsps serves the purpose of presentation to the user, that is why they are placed outside WEB-INF.
Filters are attached to the views(jsp/html/.doc/.txt/xml) to prevent direct access to those views by requesting a url to that resource in the browser.
I suggest you to try a sample application and check for yourself.
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Amit Arya:
i have some jsps under WEB-INF folder and as i know that they cant be access directly. so how can i access those jsps.


You can access them by forwarding to them from another resource that is available to the web (an JSP that is not under WEB-INF, or a controller servlet).

You can also grant access to them by creating a servlet entry for each JSP with a corresponding servlet-mapping entry.
When creating the servlet entry, use the jsp-file attribute in place of the servlet-class attribute.

See section 10 in SRV.13.4 of the servlet spec for complete details regarding the servlet element entry.
 
Hunny Lee
Greenhorn
Posts: 23
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Amit Arya:
i have some jsps under WEB-INF folder and as i know that they cant be access directly. so how can i access those jsps.


Create an intermediary JSP outside of WEB-INF that includes your JSP.
e.g.
your page is javaranch/WEB-INF/pages/yourPage.jsp
create a page javaranch/yourPage.jsp
Source Code:
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64185
83
IntelliJ IDE Java jQuery Mac Mac OS X
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I really don't see any benefit of creating a one-line intermediary JSP just so you can put the "real" JSPs under WEB-INF. There's no benefit to the extra level of indirection or to protect the JSPs from direct access.

Under such a situation, it's much clearer to just move the JSPs out of WEB-INF.

That said, I highly recommend the Model 2 approach over Model 1.
 
Hunny Lee
Greenhorn
Posts: 23
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, I'd prefer Model 2 to Model 1 anytime. But if you're maintaining a model 1 application, I'd say it's a whole new different story.

I have one very specific reason for doing this (or at least wanting to do this):
I do not want clients to be able to see the real code of the JSP. (Or allow hackers to easily access the code). If I put the 'real' JSP inside WEB-INF, I'm at least assured that this JSP cannot be directly accessed by clients.

So, it's one or the other:
x Clients seeing my JSPs (with scriptlets, ELs and what-have-you's [gasp! even SQL in the JSP?])
x Clients seeing one line of code - a JSP include. In which I know that this included JSP cannot be easily accessed by a malicious client (albeit this page would involve an additional level of indirection).

I'm not sure what your stand is on this, but I'm going to go with the latter.

I can give you specific examples, these are the ones I googled up:
http://www.eztrip.com/hotels.jsp
http://www.verlo.com/customerservice/storelocator.jsp
http://www.ministerosalute.it/index.jsp

Now, change the extension (.jsp) to uppercase. (e.g. website/index.JSP )
I hope you see what I mean.

If it's improper to post the sites, please feel free to delete them.
[ February 19, 2007: Message edited by: Hunny Growlie ]
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64185
83
IntelliJ IDE Java jQuery Mac Mac OS X
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
"Hunny Growlie", you have been previously warned on one or more occasions regarding adjusting your display name to meet JavaRanch standards. This is not optional. Please take a look at the JavaRanch Naming Policy and adjust your display name to match it prior to your next post.

Your display name must be a first and a last name separated by a space character, and must not be obviously fictitious.

Be aware that accounts with invalid display names are removed.

bear
JavaRanch Sheriff
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64185
83
IntelliJ IDE Java jQuery Mac Mac OS X
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I see your intent, but still think that it's needless over-complication not worth the percieved benefit.
 
ozzie lorica
Greenhorn
Posts: 5
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Amit Arya:
Thanks Raghu sir but i dont eant to access my jsps directky how can be that possible like first they have to fill some password only \then next page will be available to them. but if they know name of next page they will directly access them.


I see what you're trying to do. What I would do is to create a filter mapped to *.jsp. this filter would check if the user has logged in(by checking the session) and checking that the user logged in has access to that page. If both test fails, redirect to the login screen, otherwise just move on.

Same applies if you want to implement a "workflow" type thing.
 
Hunny Lee
Greenhorn
Posts: 23
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Bear Bibeault:
I see your intent, but still think that it's needless over-complication not worth the percieved benefit.


Ok then, to each his own. :thumb:
Just as long as you know what I mean. We lost millions in revenue when 'hackers' so easily 'hacked' our legacy since the site was exposed.
Oh well... moving along...
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64185
83
IntelliJ IDE Java jQuery Mac Mac OS X
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A great argument for moving to Model 2!
 
Hunny Lee
Greenhorn
Posts: 23
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Bear Bibeault:
A great argument for moving to Model 2! :thumb:


Yes, we are!
It will take months and months to refactor the code (+PM, +QA, etc). (I'm fairly new to this company, and I tell you, their legacy system is bad!)
Therefore, the need to 'hide' the JSPs on the old system while that one's still running.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64185
83
IntelliJ IDE Java jQuery Mac Mac OS X
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I feel your pain. Been there, done that. Luckily, I was given a clean slate for my current gig.
 
Jenny Uy
Greenhorn
Posts: 3
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How true is it that if my web application is deployed in WebLogic users CAN access jsp under WEB-INF folder???

I have no experience with WebLogic yet so I'm not sure.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64185
83
IntelliJ IDE Java jQuery Mac Mac OS X
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It might have been best to start a new topic in the Weblogic forum to ask that, but now that we're here, let's hope some Weblogic users see it.

If Weblogic allows JSPs to be directly addressed from WEB-INF, it's broken and not spec-compliant.
 
Carol Enderlin
drifter
Ranch Hand
Posts: 1364
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well, I cannot answer the how true question for every version of weblogic ever created, but I tried it in WebLogic Server 8.1 sp 4 and I got a 404 error trying to directly access a jsp under the WEB-INF directory.

How true is it that if my web application is deployed in WebLogic users CAN access jsp under WEB-INF folder???


Without further details I would suggest that this may just be due to misunderstanding of what this really means.
 
Jenny Uy
Greenhorn
Posts: 3
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for clearing this. I read it from an ebook

http://www.objectsource.com/Struts_Survival_Guide.pdf

Quote:
"As we stated earlier, since the specification is clear about not letting direct access to resources under WEB-INF, all J2EE compliant application servers implement it. However, the second part is not stated in the specification and consequently it is the vendor�s prerogative to implement it or not. Certain providers do (For e.g.Tomcat) and others don�t (For e.g. WebLogic)."
 
Carol Enderlin
drifter
Ranch Hand
Posts: 1364
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What is the second part not specified by the spec?That sounds like something different. [haven't dug into the linked ebook]

As we stated earlier, since the specification is clear about not letting direct access to resources under WEB-INF, all J2EE compliant application servers implement it. However, the second part is not stated in the specification and consequently it is the vendor�s prerogative to implement it or not. Certain providers do (For e.g.Tomcat) and others don�t (For e.g. WebLogic).
 
Karan Kaw
Greenhorn
Posts: 14
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1st Part is : Do not allow direct(external) access to Resources inside WEB-INF. All container Follow this.
2nd Part which is ambiguous is that if JSP is inside WEB-INF , They should be accessible by other members inside WEB-INF. Older Weblogic don't allow access to JSP inside WEB-INF from classes(ACTION classes) inside WEB_INF\classes while Tomcat does allow this.

Goto URL : http://forum.spring.io/forum/spring-projects/web/1394-weblogic-7-and-web-inf-jsp-problem
 
I agree. Here's the link: http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic