tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wendy Smoak <>
Subject Re: [newbie] Container Managed Security - preventing direct access to .jsp
Date Tue, 14 Dec 2004 22:23:25 GMT
From: "Hassan Schroeder" <>
> Given that the Java" Servlet Specification Version 2.4, page 70 sez:
> A special directory exists within the application hierarchy
> named WEB-INF. This directory contains all things related to
> the application that aren't in the document root of the
> application. The WEB-INF node is not part of the public
> document tree of the application. No file contained in the
> WEB-INF directory may be served directly to a client by the
> container.
> I don't know how much more "portable" you want it to be :-)

Except that I think at least one commercial Servlet container interpreted it
more strictly and refused to serve anything under WEB-INF, even with a
forward.  IOW, the specification says the container MAY NOT serve anything
under WEB-INF directly, but it doesn't say that the container MUST serve
those things INdirectly.

No idea which one that was, I just remember being warned when I put things
under WEB-INF, that it wouldn't work everywhere.  Since I never plan to use
anything but Tomcat, it wasn't a problem.

Wendy Smoak

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message