• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Need for servlet mapping in web.xml

 
Sony Agrawal
Ranch Hand
Posts: 143
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
As i understand Servlet mapping is done to hide the directory level information and to get some level of security. I mean to say we are avoiding the directory structure in the URL which in turn provide the security.
So... if somebody get to know the structure, he would access the files illegally. isn,t it ? But what if he gets the web.xml files itself??

i think i am confusing you guys because i am also....
 
chandrakant karale
Ranch Hand
Posts: 41
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
But what if he gets the web.xml files itself??


By what means he will get access to web.xml?
Web.xml present at its intended location cannot be accessed directly through a web url.

If security is your concern n you can use other mechanisms like filters for that.
 
Seetharaman Venkatasamy
Ranch Hand
Posts: 5575
Eclipse IDE Java Windows XP
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
sony agrwal wrote:
So... if somebody get to know the structure, he would access the files illegally. isn,t it ?

As far i know,No.not possible.
sony agrwal wrote:
But what if he gets the web.xml files itself??


how?
 
A. S. Georgie
Ranch Hand
Posts: 72
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
sony agrwal wrote:Hi,
But what if he gets the web.xml files itself??


nobody could if web.xml is in WEB-INF try keeping things in WEB-INF if you don't wan't an unauthorized one try to access ...
 
Shailesh Narkhede
Ranch Hand
Posts: 368
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

web.xml is present in WEB-INF folder, and we can access anything from WEB-INF by calling browser.
that is secret folder. that is why user never get web.xml at any cost.
resources from WEB-INF we can access in same web application e.g. properties files.

HTH.
 
Tim Holloway
Saloon Keeper
Pie
Posts: 18099
51
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Shailesh Narkhede wrote:Hi,

web.xml is present in WEB-INF folder, and we can not access anything from WEB-INF by calling browser.



Note the correction - I think it's what Shailesh was really trying to say.

I'm going to repeat one of my "favorite" sayings here, since it's important:

A web server is not a file server!

URLs look similar to filename paths. They are not. URLs are Uniform Resource Locators.

URLs are passed to the web server, which decodes them and (usually) passes them on to the web applications, which then also decode them and determine what resource is being requested and how to return it to the client. In many cases, parts of the URL will be used to construct a server-local filename path and copy the contents of a file at that location, but this is just one option.

When a J2EE appserver encounters incoming URLs, one of the things it does is look at a table of URL mappings that was built for the destination webapp. If the incoming URL matches one of those URLs, the appserver then looks at the mapping target data. If the mapping target data corresponds to the symbolic name that was given to a servlet, then the URL is passed to that servlet. That's a little simplified, since even before the URL routing mapping is checked, a security mapping would be checked first, if one existed, but that's the general idea.

J2EE was designed to produce robust, scalable, and maintainable applications. Part of that design involves extra indirections such as the servlet mapping. Although it makes overall design a little more complex, it makes the application as a whole less expensive to maintain and makes it easier to use generic "plug-in" components.

Sorry to be to visually offensive on this post, but I hope it drew attention to the important things.
 
Reidar Gjerstad
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi sony

web.xml must be placed in WEB-INF folder. If the container receives a request for any file under WEB-INF it should return 404 - Not Found. At least if I remember correct.

If you have partial files, eg. .jsp headers or footers they can be placed under eg WEB-INF/templates. This way you avoid any user accessing them directly. The same applies to your servlet .class files. Put them under WEB-INF to avoid direct access.

Cheers
Reidar
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64718
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Reidar Gjerstad wrote:If you have partial files, eg. .jsp headers or footers they can be placed under eg WEB-INF/templates.

Any JSP can (and should) be placed under WEB-INF to avoid direct access.

The same applies to your servlet .class files.

Class files must be in a package hierarchy under WEB-INF/classes or in a jar file under WEB-INF/lib.
 
Reidar Gjerstad
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:
Reidar Gjerstad wrote:If you have partial files, eg. .jsp headers or footers they can be placed under eg WEB-INF/templates.

Any JSP can (and should) be placed under WEB-INF to avoid direct access.

The same applies to your servlet .class files.

Class files must be in a package hierarchy under WEB-INF/classes or in a jar file under WEB-INF/lib.


Hi Bear

I guess you mean to say that "Any JSP that is not meant to be accessed directly should be under WEB-INF. JSPs that are meant to be accessed directly must not be in WEB-INF."

Sometimes you have something like "mainpage.jsp", meant to be accessed directly without going through a servlet. Such JSPs must be outside WEB-INF.

Cheers
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic