*
The moose likes Tomcat and the fly likes /WEB-INF/classes/ in folder can be accessed from anywhere? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "/WEB-INF/classes/ in folder can be accessed from anywhere?" Watch "/WEB-INF/classes/ in folder can be accessed from anywhere?" New topic
Author

/WEB-INF/classes/ in folder can be accessed from anywhere?

Susan Smith
Ranch Hand

Joined: Oct 13, 2007
Posts: 224
Hi,

In my JSP application, I have /WEB-INF/ folder, inside WEB-INF, there is a /class/ folder with java classes there.

I notice if I try to access the Java files via web browser, it is accessible.

Why is this? Isn't it supposed to be secured from outside?

Thanks in advance for all your help.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60782
    
  65

class or classes? It can't be both.

Also what do you mean by accessible? Please be more complete in your posts.

I assume you mean that when you create a URL containing WEB-INF, that it serves the resources within it? If so, then the WEB-INF isn't really part of the web application. If it were, the container would not allow such access.

Verify that your web application structure and the context defining it are set up correctly.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Edwin Stephens
Greenhorn

Joined: Dec 30, 2008
Posts: 15
Hi Susan,

Are you running your servlet/jsp container behind an apache web server? If so, the apache web server might be allowing access to files inside of WEB-INF that normally shouldn't be accessed. If this is the case, you can prevent this from happening by modifying the access permissions in httpd.conf or .htaccess.

Edwin
Susan Smith
Ranch Hand

Joined: Oct 13, 2007
Posts: 224
Edwin,

Thanks for your post.

What I meant is I accidentally found that I can see the content of my web.xml application and also the .class files inside the WEB-INF if I type: "http://myapps/WEB-INF/web.xml" or if I type "http://myapps/WEB-INF/beans/myJavaProgram.class"

I'm not too familiar with Apache itself, it's a legacy system and no apache expert in our team yet. Here is the setting. Can you please advise how should I change this?


Note:
In one of the JSP pages, I also served some data from "/WEB-INF/data", so I want it to be accessible from my JSP but not from outside.
Example:

I know Servlet is better for this. But for now this JSP page must stay.
Edwin Stephens
Greenhorn

Joined: Dec 30, 2008
Posts: 15
Hi Susan,

You might want to try making this modification and then restart Apache and see if it helps.



Good luck,
Edwin
 
 
subject: /WEB-INF/classes/ in folder can be accessed from anywhere?
 
Similar Threads
need a program for Java Bean and JSP
simple tags
Problems with bean example
Access Problem in JSP
Multipls message bundle resource error