tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: WEB-INF
Date Fri, 10 Sep 2010 15:19:09 GMT
Hash: SHA1


I'll chime in. :)

On 9/10/2010 10:13 AM, Leo Donahue - PLANDEVX wrote:
> I've read that you can secure direct access to a JSP by placing it in
> the WEB-INF directory.  I know you can also secure direct access to a
> JSP by creating a security constraint using URL patterns and
> assigning role names that do not exist.
> I've also "heard" that when you secure a URL using a security
> constraint, that you are not securing the "resource".

That depends on what you think the "resource" is. If it's a file on a
disk, than it is only "secure" if you secure all ways to retrieve it. If
you have multiple URLs that reference the same file on a disk, then yes,
you can "secure" one URL and not another and therefore your file is not
entirely "secure".

Chuck doesn't come right out and say this, but I believe he's hinting at
the fact that files on a disk are largely irrelevant: they are an
implementation detail where HTTP is concerned: the URL is a request for
a resource. Securing that URL is securing the resource. The fact that
multiple resources might result in the same response (from the same file
on the disk) is just a coincidence.

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message