struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Action Servlets
Date Thu, 12 Oct 2000 18:59:49 GMT wrote:

> Is there a reason that the config in the ActionServlet is hardcoded to have
> the action.xml be contained in the web-inf folder?

The config file location *defaults* to "/WEB-INF/action.xml", but you
change it to any context-relative path (that starts with a "/") by
setting the
"config" initialization parameter on the controller servlet in your

There is a reason for putting this file under /WEB-INF, though.  The
specification prohibits a servlet container from serving the contents of
file under /WEB-INF directly to a client.  So, if you try this request
in your


you should get an error, instead of the contents of the file.  This
avoids the
potential that attackers might glean some potentially sensitive
knowledge about
how your application is put together, or perhaps a database username and
password if you've got configuration information for your connection
pool in
the web.xml file ...

Putting the configuration information anywhere *other* than under
your web app exposes this information to prying eyes.

Craig McClanahan

See you at ApacheCon Europe <>!
Session VS01 (23-Oct 13h00-17h00):  Sun Technical Briefing
Session T06  (24-Oct 14h00-15h00):  Migrating Apache JServ
                                    Applications to Tomcat

View raw message