File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Tomcat and the fly likes war-less jar-based deployment Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "war-less jar-based deployment" Watch "war-less jar-based deployment" New topic

war-less jar-based deployment

Asher Tarnopolski
Ranch Hand

Joined: Jul 28, 2001
Posts: 260
this time i have a kind of theoretical question. one of sw developers working for a pretty big company told me today, that they don't use war files for their application deployments. their sw architects believe, that war files are evil, since deployment of un-wared classes is not secure enough in terms of a damage that can be caused by their operations group employees, playing with servers. as far as i understood, their solution is to pack the application into jar and add it to the empty webapp style tree's WEB-INF/lib folder. they are also used to edit server.xml to add the app's context pass there to enable it on the path they use. i was really puzzled by this explanation, i never seen anything like this before. personally i believe that the whole "operations folks problem" sounds like a paranoia, but still, it's hard for me to decide what are the pros and cons of such solution. what do you think? bizarre or brilliant?


Asher Tarnopolski
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 17417

Bizarre or brilliant?

Appalling! Hope you're prepared to bail when these geniuses screw up royally and take something critical down. They evidently don't have a clue.

ALL webapps are WARs, per the J2EE standard. A WAR is nothing but a JAR with a specific structure. Some appservers also support "exploded" WARs, which are nothing more than WARs that have been UnZipped (since a WAR is a JAR and a JAR is a ZIP file with a META-INF in it).

There is no such thing as a "WEB-INF/lib" directory in ANY J2EE application server. WEB-INF and its lib and classes subdirectories are part of the structure that makes a JAR a WAR. Without WEB-INF, it's a JAR, not a WAR, and the server is at liberty to ignore the JAR, or even crash and burn (hopefully not, since that's not very robust handling).

So what this bunch of brilliant folks are really doing is slapping a bunch of files into an existing exploded WAR structure, and in my book, that's less secure than deploying an integral WAR unit, not more.

Qualification: I said "All webapps are WARs, but actually, full-stack J2EE also supports collections of WARs (and other webapp resources) bundled in an EAR. Some servers, such as WebSphere will deploy simple WARs by synthesizing the parts of an EAR that would have otherwise been present so that all of its deployed apps are actually EARs.

An IDE is no substitute for an Intelligent Developer.
I agree. Here's the link:
subject: war-less jar-based deployment
It's not a secret anymore!