Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

/WEB-INF/classes/ in folder can be accessed from anywhere?

 
Susan Smith
Ranch Hand
Posts: 224
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

In my JSP application, I have /WEB-INF/ folder, inside WEB-INF, there is a /class/ folder with java classes there.

I notice if I try to access the Java files via web browser, it is accessible.

Why is this? Isn't it supposed to be secured from outside?

Thanks in advance for all your help.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64683
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
class or classes? It can't be both.

Also what do you mean by accessible? Please be more complete in your posts.

I assume you mean that when you create a URL containing WEB-INF, that it serves the resources within it? If so, then the WEB-INF isn't really part of the web application. If it were, the container would not allow such access.

Verify that your web application structure and the context defining it are set up correctly.
 
Edwin Stephens
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Susan,

Are you running your servlet/jsp container behind an apache web server? If so, the apache web server might be allowing access to files inside of WEB-INF that normally shouldn't be accessed. If this is the case, you can prevent this from happening by modifying the access permissions in httpd.conf or .htaccess.

Edwin
 
Susan Smith
Ranch Hand
Posts: 224
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Edwin,

Thanks for your post.

What I meant is I accidentally found that I can see the content of my web.xml application and also the .class files inside the WEB-INF if I type: "http://myapps/WEB-INF/web.xml" or if I type "http://myapps/WEB-INF/beans/myJavaProgram.class"

I'm not too familiar with Apache itself, it's a legacy system and no apache expert in our team yet. Here is the setting. Can you please advise how should I change this?


Note:
In one of the JSP pages, I also served some data from "/WEB-INF/data", so I want it to be accessible from my JSP but not from outside.
Example:

I know Servlet is better for this. But for now this JSP page must stay.
 
Edwin Stephens
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Susan,

You might want to try making this modification and then restart Apache and see if it helps.



Good luck,
Edwin
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic