Accessing files under WEB-INF

Hi,

I have been hearing lot about we cannot access the files under Web-INF folder.
I wanted to know how is it done by the container, to not allow to access files under Web-INF folder ?

WEB-INF directory is a private area of the web application, any files under WEB-INF directory cannot be accessed directly from browser by specifying the URL like http://somesite/WEB-INF/someresource.html. Web container will not serve the content of this directory. However the content of the WEB-INF directory is accessible by the classes (eg servlets) within the application.

How web container does this is upto web container, and that shouldn't matter..

This is perhaps the best way to observe the difference between a URL and a resource (file) path. Although syntactically, they're confusingly similar, URLs cannot "see" WEB-INF or anything under it. However application code can see the WEB-INF directory just fine using the resource access methods of J2EE.

hello gaurav,

Try this

http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.html

Go through the security Guide for the Tomcat Server. you will find the Security Things. How the webcontainer does it.

Atul Darne wrote:hello gaurav,

Try this

http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.html

Go through the security Guide for the Tomcat Server. you will find the Security Things. How the webcontainer does it.

I don't think security manager has anything to do with not allowing files under /WEB-INF/

you can try this like,
if you are accessing the file in action class

String filename = "/WEB-INF/somefile.xml" ;
ServletContext context = this.getServlet().getServletContext();
String pathname =context.getRealPath(filename);

This one works for me,
But if i want to access the files from /web-inf/
thru a static method of a normal java class [not a servlet]

how do i do it.
If anybody has a solution,please let me know.

Thanks
indmango

@indmango -- > you can use normal Java File API to access File. Creat a File object with the path to a file inside WEB-INF.

~ abhay

Abhay Agarwal wrote:@indmango -- > you can use normal Java File API to access File. Creat a File object with the path to a file inside WEB-INF.

~ abhay

I tried like this
java.net.URL url = MyClass.class.getClassLoader().getResource(filename);

and it's returning null

and also like this

InputStream in = Thread.currentThread().getContextClassLoader().getResourceAsStream(filename);

and this is also returning null.

Note : I am trying all this in a normal java program from a static method

when i create the file object.. it's like looking from c:/web-inf/somefile.txt
which is not the corrrect path.

Abhay Agarwal wrote:@indmango -- > you can use normal Java File API to access File. Creat a File object with the path to a file inside WEB-INF.

~ abhay

You can, but you shouldn't. It's a violation of the J2EE spec, which says that a J2EE webapp is a single (WAR) file, and therefore filesystem access to components within the WAR is not guaranteed.

Yes, it works in many appservers - but not all of them. And even for the ones where it does work, it may not always work. For example, in Tomcat, you can turn off the "exploded WAR" option and that will break any code that thinks that everything's in its own file.

The only safe way to obtain "files" (resources) within a WAR is to use the ServletContext getResource/getResourceAsString methods, which cannot be accessed statically, because you can deploy the same WAR more than once in a server and each deployment would have its own ServletContext.

You can access objects using the standard Java classloader mechanism, but that won't give access to any paths of the WAR that aren't in the WAR's classpath (WEB-INF/classes and the WEB-INF/lib jars).

You should never assume you know what the current working directory is in a WAR unless you have just set it yourself. And don't expect it to stay set after the current request has completed.

Abhay Agarwal wrote:@indmango -- > you can use normal Java File API to access File. Creat a File object with the path to a file inside WEB-INF.

~ abhay

Could you please explain with some example.. i want to give it a try

Creat a File object with the path to a file inside WEB-INF.

indmango siri wrote:
Could you please explain with some example.. i want to give it a try
Creat a File object with the path to a file inside WEB-INF.

NO. Do not! I will back up Tim on this. If you are not going to listen to the advice of the senior members who have learned the hard way what to do and, more importantly, what not to do, why are you asking for their advice?