This week's book giveaway is in the HTML Pages with CSS and JavaScript forum.
We're giving away four copies of React Cookbook: Recipes for Mastering the React Framework and have David Griffiths & Dawn Griffiths on-line!
See this thread for details.
Win a copy of React Cookbook: Recipes for Mastering the React Framework this week in the HTML Pages with CSS and JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Rob Spoor
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • Junilu Lacar
  • Tim Cooke
Saloon Keepers:
  • Tim Holloway
  • Piet Souris
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
Bartenders:
  • Frits Walraven
  • Himai Minh

WEB-INF implicit protection?

 
Ranch Hand
Posts: 84
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
All, I have some XSL that I'm using via Xalan to render some style in my JSP tier. That said, I don't want these XSL files just floating around ready for public viewing. Right now I'm accessing these files via ServletContext and all seems well. My question is this -- is WEB-INF implicitly secure -- do app servers have to protect this directory from public access?
Also, is this considered good or bad form? Should I put my resources somewhere else and perhaps protect it via declarative security?
[ May 20, 2003: Message edited by: Cory Wilkerson ]
 
Ranch Hand
Posts: 52
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes, the server should protect the WEB-INF directory from outside access. Don't consider placing a file in there to be high-level security, though; a misconfigured server could conceivably allow web or anonymous FTP access to WEB-INF. If the consequences of exposing the file are just annoying rather than disastrous, you should be OK doing it that way.
 
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I believe it's a part of the spec that a server is not allowed to serve resources from this directory, but there is sometimes a difference in how it is implemented in some servers.
For example, in the Tomcat source that I checked it it absolutely refuses to pass on anything from the web-inf directory.
I've heard that in other servers (although I've never been able to get it to work myself) you can place JSPs in the web-inf directory and it is possible to forward and include them via another servlet or JSP, but the user is prevented from accessing them directly.
Not a feature that I intend on using though, and I don't recommend anyone build a production system using it either. The vendor could change the behaviour without warning and you'll be stuffed.
Dave
 
My cellmate was this tiny ad:
the value of filler advertising in 2021
https://coderanch.com/t/730886/filler-advertising
reply
    Bookmark Topic Watch Topic
  • New Topic