It's not a secret anymore!*
The moose likes Servlets and the fly likes Need for servlet mapping in web.xml Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Need for servlet mapping in web.xml" Watch "Need for servlet mapping in web.xml" New topic
Author

Need for servlet mapping in web.xml

Sony Agrawal
Ranch Hand

Joined: Oct 04, 2009
Posts: 143
Hi,
As i understand Servlet mapping is done to hide the directory level information and to get some level of security. I mean to say we are avoiding the directory structure in the URL which in turn provide the security.
So... if somebody get to know the structure, he would access the files illegally. isn,t it ? But what if he gets the web.xml files itself??

i think i am confusing you guys because i am also....
chandrakant karale
Ranch Hand

Joined: Nov 21, 2007
Posts: 41
But what if he gets the web.xml files itself??


By what means he will get access to web.xml?
Web.xml present at its intended location cannot be accessed directly through a web url.

If security is your concern n you can use other mechanisms like filters for that.
Seetharaman Venkatasamy
Ranch Hand

Joined: Jan 28, 2008
Posts: 5575

sony agrwal wrote:
So... if somebody get to know the structure, he would access the files illegally. isn,t it ?

As far i know,No.not possible.
sony agrwal wrote:
But what if he gets the web.xml files itself??


how?
A. S. Georgie
Ranch Hand

Joined: Dec 25, 2009
Posts: 72
sony agrwal wrote:Hi,
But what if he gets the web.xml files itself??


nobody could if web.xml is in WEB-INF try keeping things in WEB-INF if you don't wan't an unauthorized one try to access ...
Shailesh Narkhede
Ranch Hand

Joined: Jul 10, 2008
Posts: 368
Hi,

web.xml is present in WEB-INF folder, and we can access anything from WEB-INF by calling browser.
that is secret folder. that is why user never get web.xml at any cost.
resources from WEB-INF we can access in same web application e.g. properties files.

HTH.


Thanks,
Shailesh
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15951
    
  19

Shailesh Narkhede wrote:Hi,

web.xml is present in WEB-INF folder, and we can not access anything from WEB-INF by calling browser.



Note the correction - I think it's what Shailesh was really trying to say.

I'm going to repeat one of my "favorite" sayings here, since it's important:

A web server is not a file server!

URLs look similar to filename paths. They are not. URLs are Uniform Resource Locators.

URLs are passed to the web server, which decodes them and (usually) passes them on to the web applications, which then also decode them and determine what resource is being requested and how to return it to the client. In many cases, parts of the URL will be used to construct a server-local filename path and copy the contents of a file at that location, but this is just one option.

When a J2EE appserver encounters incoming URLs, one of the things it does is look at a table of URL mappings that was built for the destination webapp. If the incoming URL matches one of those URLs, the appserver then looks at the mapping target data. If the mapping target data corresponds to the symbolic name that was given to a servlet, then the URL is passed to that servlet. That's a little simplified, since even before the URL routing mapping is checked, a security mapping would be checked first, if one existed, but that's the general idea.

J2EE was designed to produce robust, scalable, and maintainable applications. Part of that design involves extra indirections such as the servlet mapping. Although it makes overall design a little more complex, it makes the application as a whole less expensive to maintain and makes it easier to use generic "plug-in" components.

Sorry to be to visually offensive on this post, but I hope it drew attention to the important things.


Customer surveys are for companies who didn't pay proper attention to begin with.
Reidar Gjerstad
Greenhorn

Joined: Dec 02, 2008
Posts: 19
Hi sony

web.xml must be placed in WEB-INF folder. If the container receives a request for any file under WEB-INF it should return 404 - Not Found. At least if I remember correct.

If you have partial files, eg. .jsp headers or footers they can be placed under eg WEB-INF/templates. This way you avoid any user accessing them directly. The same applies to your servlet .class files. Put them under WEB-INF to avoid direct access.

Cheers
Reidar
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60756
    
  65

Reidar Gjerstad wrote:If you have partial files, eg. .jsp headers or footers they can be placed under eg WEB-INF/templates.

Any JSP can (and should) be placed under WEB-INF to avoid direct access.

The same applies to your servlet .class files.

Class files must be in a package hierarchy under WEB-INF/classes or in a jar file under WEB-INF/lib.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Reidar Gjerstad
Greenhorn

Joined: Dec 02, 2008
Posts: 19
Bear Bibeault wrote:
Reidar Gjerstad wrote:If you have partial files, eg. .jsp headers or footers they can be placed under eg WEB-INF/templates.

Any JSP can (and should) be placed under WEB-INF to avoid direct access.

The same applies to your servlet .class files.

Class files must be in a package hierarchy under WEB-INF/classes or in a jar file under WEB-INF/lib.


Hi Bear

I guess you mean to say that "Any JSP that is not meant to be accessed directly should be under WEB-INF. JSPs that are meant to be accessed directly must not be in WEB-INF."

Sometimes you have something like "mainpage.jsp", meant to be accessed directly without going through a servlet. Such JSPs must be outside WEB-INF.

Cheers
 
jQuery in Action, 2nd edition
 
subject: Need for servlet mapping in web.xml
 
Similar Threads
*.faces suffix mapping
404 error on servlet due to "requested resource not available"
Simple Servlet problem
Setting file permissions
Tomcat Restarting