tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: MVC problem
Date Thu, 30 Nov 2000 18:42:54 GMT
"Aiken, David" wrote:

> That sounds workable.. i looked for an archive of this newsgroup but didn't
> have any luck - do you know where the relevant section in the JSP/servlet
> spec is?

Do you mean the restriction on serving things from WEB-INF directly to the

Servlet 2.2 Spec, Section 9.4, p. 44 (last sentence of the first paragraph).

Servlet 2.3 Spec (Proposed FInal Draft), Section 9.4, p. 59 (last sentence of
the second paragraph in this section).

Basically, the prohibition means that the following sorts of URLs:


will return an error instead of exposing potentially sensitive configuration
information in your deployment descriptor.

A servlet can still access things under WEB-INF -- for example, the JSP servlet
needs to read web.xml when you use custom tags (to look for <taglib> elements),
and it does this:

    InputStream is =

You can do the same with other configuration files that contain sensitive stuff
-- the WEB-INF directory is a good place to put them.

> thanks!
> david


PS:  Yes, I *have* almost memorized the specs over the last couple months :-)

View raw message