All, I have some XSL that I'm using via Xalan to render some style in my JSP tier. That said, I don't want these XSL files just floating around ready for public viewing. Right now I'm accessing these files via ServletContext and all seems well. My question is this -- is WEB-INF implicitly secure -- do app servers have to protect this directory from public access? Also, is this considered good or bad form? Should I put my resources somewhere else and perhaps protect it via declarative security? [ May 20, 2003: Message edited by: Cory Wilkerson ]
Yes, the server should protect the WEB-INF directory from outside access. Don't consider placing a file in there to be high-level security, though; a misconfigured server could conceivably allow web or anonymous FTP access to WEB-INF. If the consequences of exposing the file are just annoying rather than disastrous, you should be OK doing it that way.
I believe it's a part of the spec that a server is not allowed to serve resources from this directory, but there is sometimes a difference in how it is implemented in some servers. For example, in the Tomcat source that I checked it it absolutely refuses to pass on anything from the web-inf directory. I've heard that in other servers (although I've never been able to get it to work myself) you can place JSPs in the web-inf directory and it is possible to forward and include them via another servlet or JSP, but the user is prevented from accessing them directly. Not a feature that I intend on using though, and I don't recommend anyone build a production system using it either. The vendor could change the behaviour without warning and you'll be stuffed. Dave