aspose file tools*
The moose likes Tomcat and the fly likes Question of hiding resource from client Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Question of hiding resource from client" Watch "Question of hiding resource from client" New topic
Author

Question of hiding resource from client

Stephen Lee
Ranch Hand

Joined: Dec 11, 2001
Posts: 74
I am using Tomcat 4. I have found that there's a way to hide resource from a client - place the jsp pages in the directory WEB-INF. Therefore, the jsp pages cannot be viewed by typing the path http://localhost/*.jsp
The page can be accessed by the use of RequestDispatcher from a servlet program or using custom URL set in web.xml. However, it is required to use <jsp:include page="xxx.jsp" /> to include another jsp. However, the jsp is placed in the WEB-INF also, so ServletException is thrown. How can I include the jsp file successfully in this way? i have tried to use absolute path, however, it is still unsuccessful. What should I do? Thanks!
Leyland
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16012
    
  19

Ugh. Well, you hid them OK. I wouldn't recommend doing this, though.
One thing to note is that the "include" JSP directive references a URL, not a file path (Is it time for me to say "A WEB server is NOT a LAN server" again?). And at the moment, I don't know of any mechanism in JSP 1.1 that will simply and reliably restrict access to a URL except to the degree that logic in the JSP itself restricts access. I've thought of several potential options, but they all seem to have holes in them.
Probably the SAFEST thing to do is go "Model 2" and not put anything insecure in JSPs. You CAN hide servlets - in fact, most modern appservers hide them unless explicitly attached to one or more URLs in web.xml.


Customer surveys are for companies who didn't pay proper attention to begin with.
Keith Kamholz
Greenhorn

Joined: Jan 03, 2003
Posts: 2
hey,
i'm using IBM Websphere and struts. it is considered good practice to put the jsp's in the WEB-INF folder to hide them. my problem is that the jsp's are not getting hidden.
if you user types in root/EditPage.jsp, the pages is accessible. oddly enough, it is also accessible when root/WEB-INF/JSP/EditPage.jsp is enterred. The files physically reside in the WEB-INF/JSP folder, but both URL's work.
does anyone have any idea what's going on with this? any help would be great, thanks!
- Keith
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16012
    
  19

You're right. WEB-INF /is/ supposed to be hidden, and people DO put JSP's there for that reason, although if my memory weren't all mush I'd remember what the "gotcha" was. There is one, I know, otherwise it'd be the preferred and blessed place to put JSPs that were invoked by Struts but should not be invoked directly by the client. It's still done, just not blessed - though I think that some sort of blessed equivalent is under consideration.
Don't know for sure why WebSphere shows the pages. Maybe the version you're using predates the WEB-INF magic (would have to be pre-4.0, I think). Or you've somehow defined a URL path that bypasses the magic.
 
 
subject: Question of hiding resource from client