tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: [OT] WEB-INF
Date Thu, 11 Jul 2013 15:36:05 GMT
Leo Donahue - RDSA IT wrote:
>> -----Original Message-----
>> From: Tim Funk []
>> Subject: Re: [OT] WEB-INF
>> Its a best practice to keep your jsp's inside of WEB-INF. Since WEB-INF/ is not
>> allowed to be requested by the browser - its a simple enforcement
>> mechanism to prevent users from direct access to calling jsps. 
> Thanks Tim.  A lot of old reference books on servlets/JSP never really touched on this
topic, and I've read about placing resources in WEB-INF on the web somewhere since then. 
I was curious if this practice was originally by design or if the benefit was realized after
the servlet spec - such as someone deciding "hey, we should put stuff in WEB-INF".
>> (Since it may be  common to have jsp's as snippets for header / footers etc -- and
there for
>> they might be able to be called in surprising ways and exposing funny attacks)
> You mention header/footers, which was in the back of my mind when I posted this.  Placing
headers/footers in WEB-INF doesn't allow me to re-use these in different webapps, without
having multiple copies of these? 
> If I have a header/footer template in \webapps\ROOT\WEB-INF\templates\, I can't reference
it from  \webapps\App2\WEB-INF\templates  ... or can I?

There are 2 schools of thought here.
One says that webapps should be independent of one another. On that base, you /should/ 
duplicate these headers/footers for each webapp, so that they can still be individually 
modified/redeployed. And one could argue that they are probably not so big (bytewise), so

the additional space required should not be a real inconvenient.
The other school of thought would argue that have multiple redundant copies of something 
is bad, because it can lead to diverging versions etc.
(And the first school of thought would then come back with a vengeance, saying that this 
is an issue which your deployment process should take care of).

You /can/ probably have a single copy, and point to it from several webapps using links 
(or aliases ?).
You'll need to be careful when undeploying webapps, that this does not delete more that 
what you think (e.g. the things being linked to, from that webapp).  As far as I remember,

that used to be an issue some time in past Tomcat versions, but still as far as I 
remember, this can now be fixed by some configuration parameter (which unfortunately I do

not remember the name or location of; you may want to re-read this carefully :

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message