struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <Craig.McClana...@eng.sun.com>
Subject Re: Action Servlets
Date Thu, 12 Oct 2000 18:59:49 GMT
Richard.Reis@openfinancetech.com wrote:

> Is there a reason that the config in the ActionServlet is hardcoded to have
> the action.xml be contained in the web-inf folder?

The config file location *defaults* to "/WEB-INF/action.xml", but you
can
change it to any context-relative path (that starts with a "/") by
setting the
"config" initialization parameter on the controller servlet in your
web.xml
file.

There is a reason for putting this file under /WEB-INF, though.  The
servlet
specification prohibits a servlet container from serving the contents of
any
file under /WEB-INF directly to a client.  So, if you try this request
in your
browser:

    http://localhost:8080/struts-example/WEB-INF/action.xml

you should get an error, instead of the contents of the file.  This
avoids the
potential that attackers might glean some potentially sensitive
knowledge about
how your application is put together, or perhaps a database username and
password if you've got configuration information for your connection
pool in
the web.xml file ...

Putting the configuration information anywhere *other* than under
/WEB-INF in
your web app exposes this information to prying eyes.

Craig McClanahan

====================
See you at ApacheCon Europe <http://www.apachecon.com>!
Session VS01 (23-Oct 13h00-17h00):  Sun Technical Briefing
Session T06  (24-Oct 14h00-15h00):  Migrating Apache JServ
                                    Applications to Tomcat

Mime
View raw message