aspose file tools*
The moose likes Servlets and the fly likes restrict access to WEB-INF Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "restrict access to WEB-INF" Watch "restrict access to WEB-INF" New topic
Author

restrict access to WEB-INF

Francette Dunyach
Greenhorn

Joined: Jan 07, 2002
Posts: 8
Lots of developpers in forums write that files under WEB-INF directory cannot be directly accessed.
Anyone knows where is the reference to that rule, in J2EE (servlet more specifically, certainly) specifications?
Do I have to declare a new rule, like access restriction, in my HTTP server?
Thanks in advance
Francette Dunyach
Greenhorn

Joined: Jan 07, 2002
Posts: 8
Here's the response of my first question : servlet2.3 specs, chap9.4 clearly explains that WEB-INF directory must not be served. But, this remains : does that mean that we have to parameter our http server? Is this parameter possible with IPlanet?
Ken Robinson
Ranch Hand

Joined: Dec 23, 2003
Posts: 101
I have never seen a server that allows anything in WEB-INF to be served directly. I doubt there is a switch in any server.

What I have seen is some servers that prevent a web app from forwarding a request though a RequestDispatcher to a resource inside of WEB-INF. I had preferred to keep JSPs in a directly in WEB-INF (WEB-INF/jsp). This prevents the user from directly hitting the JSP without going through the servlet (basic MVC) if they happen to know the JSP's URL. What I found was that some servers (Tomcat) where smart enough to allow this since the request came from my servlet while other servers (WebLogic 6.1) did not allow it, simply rejecting the URL based solely on the fact that it contained WEB-INF.

To summarize, do not put things in WEB-INF that you want served. If you must, write some type of logic that allows you to switch the base directory from WEB-INF/anything to something more standard.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61206
    
  66

To summarize, do not put things in WEB-INF that you want served.


I'd amend that to be "Do not put things in WEB-INF that you want served directly".

All my JSP files go under WEB-INF. That way, they cannot be served without going through the appropriate controller servlet.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Francette Dunyach
Greenhorn

Joined: Jan 07, 2002
Posts: 8
Thank you for your responses. I have understood that I should not put things in WEB-INF that I want served.
But this was not my proposal. My aim is to put only config files in WEB-INF, and to prevent clients from calling them. My environment is WAS with IPlanet. And I constat that, if I don't parameter anything special, config files can be served to clients!!! I was surprised since I though WAS was configured by default to prevent call to WEB-INF directory. I realized that not. And now my question is : is this normal? Do I have to add special parameter on IPlanet?
Jeroen Wenting
Ranch Hand

Joined: Oct 12, 2000
Posts: 5093
if you have no valid web application there is no special treatment of WEB-INF and it's just another directory under your webserver.
If it is a valid web application there's either a configuration error in your application server (causing it to not recognise the application) or (far less likely) a bug in the server itself.

In a Java web application, files in WEB-INF can NEVER be called from code living outside the application Java/JSP code.

Of course any other application serving data which knows nothing of your directory being a web application can still access it using regular calls to the filesystem unless you set operating system level access restrictions on the files.


42
Mark Spritzler
ranger
Sheriff

Joined: Feb 05, 2001
Posts: 17250
    
    6

"francette"

Welcome to JavaRanch. Unfortuntately you name does not meet the JavaRanch Naming Policy, which requires a complete real first and last name.

Please click on the profile link near the top of the page to change your name to follow the policy.

Thanks, and I hope you find all your answers here.

Mark


Perfect World Programming, LLC - Two Laptop Bag - Tube Organizer
How to Ask Questions the Smart Way FAQ
Ken Robinson
Ranch Hand

Joined: Dec 23, 2003
Posts: 101
Originally posted by Bear Bibeault:


I'd amend that to be "Do not put things in WEB-INF that you want served directly".

All my JSP files go under WEB-INF. That way, they cannot be served without going through the appropriate controller servlet.


I agree with this totally. In the past I have used web servers that will not allow this either, not without you writing specific code. Tomcat allowed my servlets to forward to a URL in WEB-INF but WebLogic 6.1 did not. Hopefully that has changed (have not used WL since 6.1).

Bear's approach is my preferred approach, just make sure your container allows for it.
Francette Dunyach
Greenhorn

Joined: Jan 07, 2002
Posts: 8
Jeroen,
My web application seems to be valid...
I think that my server Iplanet is valid too, but is not J2EE! Actually, in my environmement, IPlanet serves the static part of my webapp, but IPlanet doesn't know anything about J2EE rules, such as WEB-INF. So I will learn it by adding a restriction for this folder.
Thanks all
Jeroen Wenting
Ranch Hand

Joined: Oct 12, 2000
Posts: 5093
iPlanet is still not J2EE compliant? They've had 6 years now...
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61206
    
  66

Why people pay money for servlet containers that don't follow the specs is completely beyond my understanding.
Jeroen Wenting
Ranch Hand

Joined: Oct 12, 2000
Posts: 5093
iPlanet claims to conform to the specs...

They've also been around for a long time, and there are many old installations still around.
5 years ago they were among the best in performance and features, nice glossy administration console and slick sales representatives.
Those things sell units to CEOs of large companies who can't judge the merits of a platform and are too much entrenched in their ivory towers to ask for a professional judgment from the people in the trenches.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: restrict access to WEB-INF