tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aiken, David" <David_Ai...@bmc.com>
Subject RE: MVC problem
Date Thu, 30 Nov 2000 23:25:18 GMT
"No file contained in the WEB-INF directory may be served directly to a
client."

That seems pretty clear.. we tried directly accessing JSP pages using a URL
of the form http://localhost:8080/examples/WEB-INF/index.jsp and it
delivered the page using tomcat 3.2 on a W2K system - is it necessary to
configure something to enforce this restriction?

We're also wondering about restricting access to servlets.. we could require
our developers to use a servlet subclass, but this would be non-MVC-like. Is
there a way to govern access to them from a controller servlet?

thanks!
david

-----Original Message-----
From: Craig R. McClanahan [mailto:Craig.McClanahan@eng.sun.com]
Sent: Thursday, November 30, 2000 12:43 PM
To: tomcat-dev@jakarta.apache.org
Cc: 'mike.labudde@irista.com'
Subject: Re: MVC problem


"Aiken, David" wrote:

> That sounds workable.. i looked for an archive of this newsgroup but
didn't
> have any luck - do you know where the relevant section in the JSP/servlet
> spec is?
>

Do you mean the restriction on serving things from WEB-INF directly to the
client?

Servlet 2.2 Spec, Section 9.4, p. 44 (last sentence of the first paragraph).

Servlet 2.3 Spec (Proposed FInal Draft), Section 9.4, p. 59 (last sentence
of
the second paragraph in this section).

Basically, the prohibition means that the following sorts of URLs:

    http://localhost:8080/myapp/WEB-INF/web.xml

will return an error instead of exposing potentially sensitive configuration
information in your deployment descriptor.

A servlet can still access things under WEB-INF -- for example, the JSP
servlet
needs to read web.xml when you use custom tags (to look for <taglib>
elements),
and it does this:

    InputStream is =
      getServletContext().getResourceAsStream("/WEB-INF/web.xml");

You can do the same with other configuration files that contain sensitive
stuff
-- the WEB-INF directory is a good place to put them.

>
> thanks!
> david
>

Craig

PS:  Yes, I *have* almost memorized the specs over the last couple months
:-)


Mime
View raw message