aspose file tools*
The moose likes JSP and the fly likes how to access jsp under WEB-INF folder Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "how to access jsp under WEB-INF folder" Watch "how to access jsp under WEB-INF folder" New topic
Author

how to access jsp under WEB-INF folder

Amit Sharma
Ranch Hand

Joined: Nov 22, 2005
Posts: 87
i have some jsps under WEB-INF folder and as i know that they cant be access directly. so how can i access those jsps.


Amit Sharma SCJP 1.4, SCWCD 5, OCUP-100(UML)
Rao Raghu
Ranch Hand

Joined: Jan 05, 2007
Posts: 100
You cannot access jsp under WEB-INF. It is not a standard J2EE Spec. The container only looks for class-files in WEB-INF and if you ask for jsp in this directory, it will return an error 404.



RAGHU<br /> <br />"When the going gets tough, the tough get going"
Amit Sharma
Ranch Hand

Joined: Nov 22, 2005
Posts: 87
Thanks Raghu sir but i dont eant to access my jsps directky how can be that possible like first they have to fill some password only \then next page will be available to them. but if they know name of next page they will directly access them.
Rao Raghu
Ranch Hand

Joined: Jan 05, 2007
Posts: 100
You mean sessions? make your queries clear.
vijay kumarg
Ranch Hand

Joined: Dec 14, 2006
Posts: 105
Amit,
The resources which need to be protected from Http access are placed under WEB-INF.Normally jsps serves the purpose of presentation to the user, that is why they are placed outside WEB-INF.
Filters are attached to the views(jsp/html/.doc/.txt/xml) to prevent direct access to those views by requesting a url to that resource in the browser.
I suggest you to try a sample application and check for yourself.
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Originally posted by Amit Arya:
i have some jsps under WEB-INF folder and as i know that they cant be access directly. so how can i access those jsps.


You can access them by forwarding to them from another resource that is available to the web (an JSP that is not under WEB-INF, or a controller servlet).

You can also grant access to them by creating a servlet entry for each JSP with a corresponding servlet-mapping entry.
When creating the servlet entry, use the jsp-file attribute in place of the servlet-class attribute.

See section 10 in SRV.13.4 of the servlet spec for complete details regarding the servlet element entry.


Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
Hunny Lee
Greenhorn

Joined: Feb 17, 2007
Posts: 23
Originally posted by Amit Arya:
i have some jsps under WEB-INF folder and as i know that they cant be access directly. so how can i access those jsps.


Create an intermediary JSP outside of WEB-INF that includes your JSP.
e.g.
your page is javaranch/WEB-INF/pages/yourPage.jsp
create a page javaranch/yourPage.jsp
Source Code:
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61420
    
  67

I really don't see any benefit of creating a one-line intermediary JSP just so you can put the "real" JSPs under WEB-INF. There's no benefit to the extra level of indirection or to protect the JSPs from direct access.

Under such a situation, it's much clearer to just move the JSPs out of WEB-INF.

That said, I highly recommend the Model 2 approach over Model 1.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Hunny Lee
Greenhorn

Joined: Feb 17, 2007
Posts: 23
Yes, I'd prefer Model 2 to Model 1 anytime. But if you're maintaining a model 1 application, I'd say it's a whole new different story.

I have one very specific reason for doing this (or at least wanting to do this):
I do not want clients to be able to see the real code of the JSP. (Or allow hackers to easily access the code). If I put the 'real' JSP inside WEB-INF, I'm at least assured that this JSP cannot be directly accessed by clients.

So, it's one or the other:
x Clients seeing my JSPs (with scriptlets, ELs and what-have-you's [gasp! even SQL in the JSP?])
x Clients seeing one line of code - a JSP include. In which I know that this included JSP cannot be easily accessed by a malicious client (albeit this page would involve an additional level of indirection).

I'm not sure what your stand is on this, but I'm going to go with the latter.

I can give you specific examples, these are the ones I googled up:
http://www.eztrip.com/hotels.jsp
http://www.verlo.com/customerservice/storelocator.jsp
http://www.ministerosalute.it/index.jsp

Now, change the extension (.jsp) to uppercase. (e.g. website/index.JSP )
I hope you see what I mean.

If it's improper to post the sites, please feel free to delete them.
[ February 19, 2007: Message edited by: Hunny Growlie ]
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61420
    
  67

"Hunny Growlie", you have been previously warned on one or more occasions regarding adjusting your display name to meet JavaRanch standards. This is not optional. Please take a look at the JavaRanch Naming Policy and adjust your display name to match it prior to your next post.

Your display name must be a first and a last name separated by a space character, and must not be obviously fictitious.

Be aware that accounts with invalid display names are removed.

bear
JavaRanch Sheriff
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61420
    
  67

I see your intent, but still think that it's needless over-complication not worth the percieved benefit.
ozzie lorica
Greenhorn

Joined: Feb 19, 2007
Posts: 5
Originally posted by Amit Arya:
Thanks Raghu sir but i dont eant to access my jsps directky how can be that possible like first they have to fill some password only \then next page will be available to them. but if they know name of next page they will directly access them.


I see what you're trying to do. What I would do is to create a filter mapped to *.jsp. this filter would check if the user has logged in(by checking the session) and checking that the user logged in has access to that page. If both test fails, redirect to the login screen, otherwise just move on.

Same applies if you want to implement a "workflow" type thing.
Hunny Lee
Greenhorn

Joined: Feb 17, 2007
Posts: 23
Originally posted by Bear Bibeault:
I see your intent, but still think that it's needless over-complication not worth the percieved benefit.


Ok then, to each his own. :thumb:
Just as long as you know what I mean. We lost millions in revenue when 'hackers' so easily 'hacked' our legacy since the site was exposed.
Oh well... moving along...
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61420
    
  67

A great argument for moving to Model 2!
Hunny Lee
Greenhorn

Joined: Feb 17, 2007
Posts: 23
Originally posted by Bear Bibeault:
A great argument for moving to Model 2! :thumb:


Yes, we are!
It will take months and months to refactor the code (+PM, +QA, etc). (I'm fairly new to this company, and I tell you, their legacy system is bad!)
Therefore, the need to 'hide' the JSPs on the old system while that one's still running.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61420
    
  67

I feel your pain. Been there, done that. Luckily, I was given a clean slate for my current gig.
Jenny Uy
Greenhorn

Joined: Feb 09, 2007
Posts: 3
How true is it that if my web application is deployed in WebLogic users CAN access jsp under WEB-INF folder???

I have no experience with WebLogic yet so I'm not sure.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61420
    
  67

It might have been best to start a new topic in the Weblogic forum to ask that, but now that we're here, let's hope some Weblogic users see it.

If Weblogic allows JSPs to be directly addressed from WEB-INF, it's broken and not spec-compliant.
Carol Enderlin
drifter
Ranch Hand

Joined: Oct 10, 2000
Posts: 1364
Well, I cannot answer the how true question for every version of weblogic ever created, but I tried it in WebLogic Server 8.1 sp 4 and I got a 404 error trying to directly access a jsp under the WEB-INF directory.

How true is it that if my web application is deployed in WebLogic users CAN access jsp under WEB-INF folder???


Without further details I would suggest that this may just be due to misunderstanding of what this really means.
Jenny Uy
Greenhorn

Joined: Feb 09, 2007
Posts: 3
Thanks for clearing this. I read it from an ebook

http://www.objectsource.com/Struts_Survival_Guide.pdf

Quote:
"As we stated earlier, since the specification is clear about not letting direct access to resources under WEB-INF, all J2EE compliant application servers implement it. However, the second part is not stated in the specification and consequently it is the vendor�s prerogative to implement it or not. Certain providers do (For e.g.Tomcat) and others don�t (For e.g. WebLogic)."
Carol Enderlin
drifter
Ranch Hand

Joined: Oct 10, 2000
Posts: 1364
What is the second part not specified by the spec?That sounds like something different. [haven't dug into the linked ebook]

As we stated earlier, since the specification is clear about not letting direct access to resources under WEB-INF, all J2EE compliant application servers implement it. However, the second part is not stated in the specification and consequently it is the vendor�s prerogative to implement it or not. Certain providers do (For e.g.Tomcat) and others don�t (For e.g. WebLogic).
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: how to access jsp under WEB-INF folder