struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Corbin" <dcor...@imperitek.com>
Subject Re: Place all Java ServerPages below WEB-INF
Date Sun, 26 Aug 2001 18:10:36 GMT
To me, that's a security risk of enormous proportions....
----- Original Message -----
From: "Matt Raible" <matt_raible@yahoo.com>
To: <struts-user@jakarta.apache.org>
Sent: Sunday, August 26, 2001 1:50 PM
Subject: Re: Place all Java ServerPages below WEB-INF


> Yep - I can access my web.xml via
> http://localhost/NASApp/warName/WEB-INF/web.xml.
>
> I guess iPlanet is defective in this area.
>
> Thanks,
>
> Matt
>
> --- David Corbin <dcorbin@imperitek.com> wrote:
> > If you can access ANYTHING in WEB-INF, you have a defective application
> > server.  See if you can access your .class files that way, or your
web.xml
> > file.
> >
> >
> > ----- Original Message -----
> > From: "Matt Raible" <matt_raible@yahoo.com>
> > To: <struts-user@jakarta.apache.org>
> > Sent: Sunday, August 26, 2001 12:22 PM
> > Subject: Place all Java ServerPages below WEB-INF
> >
> >
> > > In Ted Husted's Catalog at http://husted.com/about/struts/catalog.htm,
he
> > > states the following:
> > >
> > > Place all Java ServerPages below WEB-INF
> > > The container provides security for all files below WEB-INF. This
applies
> > to
> > > client requests, but not forwards from the ActionServlet. Placing all
JSPs
> > > below WEB-INF ensure that they are only accessed through Actions, and
not
> > > directly by the client or each other. This allows security to be moved
up
> > into
> > > the Controller, where it can be handled more efficiently, and out of
the
> > base
> > > presentation layer.
> > >
> > > I have done this and put all my pages at WEB-INF/pages.  However, I
can
> > still
> > > get to them by typing
> > http://localhost/NASApp/myApp/WEB-INF/pages/pageName.jsp
> > > - so I don't see how "security is provided."  Maybe it's an iPlanet
thing,
> > but
> > > here is my directory structure:
> > >
> > > APPS
> > >      - app
> > >           - wardir
> > >                - WEB-INF
> > >                - pages
> > >           - eardir
> > >
> > > Thanks,
> > >
> > > Matt
> > >
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Make international calls for as low as $.04/minute with Yahoo!
Messenger
> > > http://phonecard.yahoo.com/
> > >
> > >
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Make international calls for as low as $.04/minute with Yahoo! Messenger
> http://phonecard.yahoo.com/
>
>


Mime
View raw message