Return-Path: 
 <tomcat-dev-return-21097-apmail-jakarta-tomcat-dev-archive=jakarta.apache.org@jakarta.apache.org>
Delivered-To: apmail-jakarta-tomcat-dev-archive@jakarta.apache.org
Received: (qmail 11074 invoked by uid 500); 11 May 2001 13:37:17 -0000
Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:tomcat-dev-help@jakarta.apache.org>
list-unsubscribe: <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
list-post: <mailto:tomcat-dev@jakarta.apache.org>
Reply-To: tomcat-dev@jakarta.apache.org
Delivered-To: mailing list tomcat-dev@jakarta.apache.org
Received: (qmail 11026 invoked from network); 11 May 2001 13:37:16 -0000
From: "Marc Saegesser" <marc.saegesser@apropos.com>
To: <tomcat-dev@jakarta.apache.org>,
	"Richard Wan" <richardwan@servidium.com>
Subject: RE: tomcat serves .jsp file contained in WEB-INF
Date: Fri, 11 May 2001 08:37:10 -0500
Message-ID: <JFEMIAGAMJPJFLEODNEEAEGGDMAA.marc.saegesser@apropos.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
In-Reply-To: <002401c0d996$f1f9dde0$0401a8c0@VersataBox>
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Importance: Normal
X-Spam-Rating: h31.sny.collab.net 1.6.2 0/1000/N

This was fixed in Tomcat 3.2.1 and I've verified that Tomcat 3.2.2 does not
serve the JSP file in WEB-INF either.

> -----Original Message-----
> From: Richard Wan [mailto:richardwan@servidium.com]
> Sent: Thursday, May 10, 2001 4:20 PM
> To: Craig R. McClanahan; tomcat-dev@jakarta.apache.org
> Subject: Re: tomcat serves .jsp file contained in WEB-INF
>
>
> From: "Craig R. McClanahan" <craigmcc@apache.org>
> > > http://machine:port/appname/WEB-INF/inside.jsp would get served but
> > > http://machine:port/appname/WEB-INF/inside.html would not?
> > Neither one should be served back to a direct client request for these
> > URLs.  The server is prohibited from returning anything under
> "WEB-INF" or
> > "META-INF".
>
>
> I've attached a small (4k) .war file which under tomcat 3.2 appears to
> violate this rule.
> Namely, direct browser requests to WEB-INF/inside.jsp are served.
> Is this a known bug? Have I found a bug? or am I just crazy?
>
> > It's legal to access either of these URLs, however, in the
> following ways:
> > * As the destination of a RequestDispatcher.forward() or include():
> >
> >     RequestDispatcher rd =
> >      getServletContext().getRequestDispatcher("/WEB-INF/inside.jsp");
> >     rd.forward(request, response);
>
>
> Excellent, this is precisely what I was hoping.
>
> ----------------------------------------------------------------------
> Richard F. Wan
> email: richardwan@servidium.com
> Phone: 403 263 3287
> Fax:  403 265 5690
> Servidium Inc. Suite 800, 840 7th Ave SW
> Calgary, Alberta, Canada T2P 3G2
>
>