File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Tomcat and the fly likes war-less jar-based deployment Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "war-less jar-based deployment" Watch "war-less jar-based deployment" New topic
Author

war-less jar-based deployment

Asher Tarnopolski
Ranch Hand

Joined: Jul 28, 2001
Posts: 260
this time i have a kind of theoretical question. one of sw developers working for a pretty big company told me today, that they don't use war files for their application deployments. their sw architects believe, that war files are evil, since deployment of un-wared classes is not secure enough in terms of a damage that can be caused by their operations group employees, playing with servers. as far as i understood, their solution is to pack the application into jar and add it to the empty webapp style tree's WEB-INF/lib folder. they are also used to edit server.xml to add the app's context pass there to enable it on the path they use. i was really puzzled by this explanation, i never seen anything like this before. personally i believe that the whole "operations folks problem" sounds like a paranoia, but still, it's hard for me to decide what are the pros and cons of such solution. what do you think? bizarre or brilliant?

thanks.


Asher Tarnopolski
SCJP,SCWCD
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15964
    
  19


Bizarre or brilliant?


Appalling! Hope you're prepared to bail when these geniuses screw up royally and take something critical down. They evidently don't have a clue.

ALL webapps are WARs, per the J2EE standard. A WAR is nothing but a JAR with a specific structure. Some appservers also support "exploded" WARs, which are nothing more than WARs that have been UnZipped (since a WAR is a JAR and a JAR is a ZIP file with a META-INF in it).

There is no such thing as a "WEB-INF/lib" directory in ANY J2EE application server. WEB-INF and its lib and classes subdirectories are part of the structure that makes a JAR a WAR. Without WEB-INF, it's a JAR, not a WAR, and the server is at liberty to ignore the JAR, or even crash and burn (hopefully not, since that's not very robust handling).

So what this bunch of brilliant folks are really doing is slapping a bunch of files into an existing exploded WAR structure, and in my book, that's less secure than deploying an integral WAR unit, not more.

Qualification: I said "All webapps are WARs, but actually, full-stack J2EE also supports collections of WARs (and other webapp resources) bundled in an EAR. Some servers, such as WebSphere will deploy simple WARs by synthesizing the parts of an EAR that would have otherwise been present so that all of its deployed apps are actually EARs.


Customer surveys are for companies who didn't pay proper attention to begin with.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: war-less jar-based deployment
 
Similar Threads
Eclipse project: Jar will not be exported or published
Deployment diagrams - what should be shown?
Running from EAR
Where to find jar mapping in WAS 6.0
Classloader problem?