tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jacob Kjome <>
Subject Re: JSP under /WEB-INF folder
Date Tue, 28 Dec 2004 16:38:42 GMT
Quoting Koon Yue Lam <>:

> Hi Hassan ,
> yes, the .js and .css are externally-accessible, but the .jsp aren't ....
> so my jsp can't refer to those .js and .css

Huh?  Why would you say that?  Let's say I have the following structure...


And my.jsp looks like...

  <link rel="Stylesheet" href="assets/style/my.css" type="text/css">
  <script src="assets/script/my.js" type="text/javascript"></script>
  <title>mock jsp</title>
  <h1>Hello World</h1>

So, what's the problem?  The <link> and <script> locations are loaded by the
browser and have no relation whatsoever to the actual location of your JSP. 
Keep in mind that the only way you can provide this JSP for viewing is to do a
server-side forward to it.  Web page resources and links will be resolved
relative to the path of the URL in your browser location bar.  Note that this
wouldn't be strictly true if you redirected to the JSP resource, but this is
impossible in this case because you can't redirect to a resoruce existing
within WEB-INF because the browser client has no access to it, only the server
does.  In any case, you can always make the resource URL's relative to the root
of the application by doing "/myapp/assets/script/my.js".

> and after viewing this thread, I think I would take QM approche but u
> mentioned I can put all jsp into one folder and protect it. How? Is it
> a web container level or OS level protection ?

The *only* valid reason I can see for not putting JSPs (not meant for direct
viewing) under WEB-INF is lack of server support for it.  However, any modern
server worth its salt now supports this.  If yours doesn't, you might want to
think about changing vendors or, at least, upgrading your version to one that
supports this feature.

My rule of thumb is to put JSP that are not meant for direct viewing (only
forwarding to from a controller servlet) under WEB-INF and jsp's that are meant
for direct viewing outside of WEB-INF.  You get the security for free!  Why one
would bother with needless extra security configuration is beyond me.  And what
if you forget or configure it wrong?


> Regards
> On Sun, 26 Dec 2004 08:45:00 -0800, Hassan Schroeder
> <> wrote:
> > Koon Yue Lam wrote:
> > > Hi, I want to protect my JSP from direct access, so they can only
> > > access by Struts action.
> > > but....
> > >
> > > If I want to include some Javascript or CSS to a JSP, I can't !
> > > Because .js and .css needed to place directly under WebRoot
> >
> > I'm afraid I don't understand the issue.
> >
> > If you're putting your JS and CSS in an externally-accessible place
> > (maybe /scripts and /styles) then the standard HTML references for
> > "external" resources:
> >
> >    <link rel="stylesheet" type="text/css" href="/styles/example.css"/>
> >    <style type="text/css">@import "/styles/example.css";</style>
> >    <script type="text/javascript" src="/scripts/example.js"></script>
> >
> > :: will work fine.
> >
> > The client UA can access them directly (and cache them, which is
> > usually a desirable behavior).
> >
> > HTH,
> > --
> > Hassan Schroeder -----------------------------
> > Webtuitive Design ===  (+1) 408-938-0567   ===
> >
> >                            dream.  code.
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > For additional commands, e-mail:
> >
> >
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message