tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [OT] WEB-INF
Date Fri, 12 Jul 2013 13:36:03 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

André,

On 7/11/13 11:36 AM, André Warnier wrote:
> Leo Donahue - RDSA IT wrote:
>>> -----Original Message----- From: Tim Funk
>>> [mailto:funkman@apache.org] Subject: Re: [OT] WEB-INF
>>> 
>>> Its a best practice to keep your jsp's inside of WEB-INF.
>>> Since WEB-INF/ is not allowed to be requested by the browser -
>>> its a simple enforcement mechanism to prevent users from direct
>>> access to calling jsps.
>> 
>> Thanks Tim.  A lot of old reference books on servlets/JSP never
>> really touched on this topic, and I've read about placing
>> resources in WEB-INF on the web somewhere since then.  I was
>> curious if this practice was originally by design or if the
>> benefit was realized after the servlet spec - such as someone
>> deciding "hey, we should put stuff in WEB-INF".
>> 
>> 
>>> (Since it may be  common to have jsp's as snippets for header
>>> / footers etc -- and there for they might be able to be called
>>> in surprising ways and exposing funny attacks)
>> 
>> You mention header/footers, which was in the back of my mind when
>> I posted this.  Placing headers/footers in WEB-INF doesn't allow
>> me to re-use these in different webapps, without having multiple
>> copies of these? If I have a header/footer template in 
>> \webapps\ROOT\WEB-INF\templates\, I can't reference it from 
>> \webapps\App2\WEB-INF\templates  ... or can I?
>> 
> 
> There are 2 schools of thought here. One says that webapps should
> be independent of one another. On that base, you /should/ duplicate
> these headers/footers for each webapp, so that they can still be
> individually modified/redeployed. And one could argue that they are
> probably not so big (bytewise), so the additional space required
> should not be a real inconvenient. The other school of thought
> would argue that have multiple redundant copies of something is
> bad, because it can lead to diverging versions etc. (And the first
> school of thought would then come back with a vengeance, saying
> that this is an issue which your deployment process should take 
> care of).

For the record, I personally am an instructor at this particular
School of Thought (solve duplication issues with deployment processes).

Here's why: your web application(s) will become overly complicated and
fragile if you try to share resources between webapps. Fragility is
IMO more expensive than the maintenance cost of a more complicated build.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJR4AZCAAoJEBzwKT+lPKRYInsP/0qPu/Yuk1Olh3bcrg5/4pIQ
dl4d8q6pKHZusPzGp2d27fb7grMXXUXCXvx8qe+uswNxslSXKaqIAdtd8lYGz7b5
ppPYBsSm648DzPJ4hX2JAEk8bc1GE19nl6e702lWH0SMceFxEnxqu56XAI57DPQa
9LwUrmjPsIiw213O4S/Mc8HQcBw4FpTMx9zP1G/iW+QLNA9k+4OFjuqNN6A+56oc
Tfxu3TFrgcMUv7ag7C0WEq6Pkayfz8aEcpmD/QyW4CD/UnvFSj9+XBeKOdSUhK8d
tn9p62RPp8uH8AxAKnvWwtKmn8aSyGzCNGrJrLfiyZjVeMJ4LiGhsFYIe5ZNbdWr
InJcn+0ebldbhOGq/ebTXS4/Z0TFFmu3Hs/zKyeJ92ln1dBslUNLuFYWVmhm5e7S
o/RfSWHR6OTJ2Tb3TDhERvEbR5babxZuAlaiCquRAtqlIz4ebFMLES0atD6EPcP0
pPRE5OJytEpi0ZZ0DGjASJlBKAZu9JX1GwqcwHMmRsSYaODH7elGcL+FWRUDrABc
mD5nfeHzHThdjYDt3phhNLaYjw9HxE5vVPxLb0Ga9c4PAr5W1eer3/l1otE/r4RM
aLVCmeXiXGcxdKn6uQGORleXzCszaZbyRWuDAbV1O7elvwopp1olCgrHlnW3SQ8w
od/iQLhZwizoMZeFOeFl
=d390
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message