tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leo Donahue - RDSA IT <>
Subject RE: [OT] WEB-INF
Date Thu, 11 Jul 2013 15:03:02 GMT
>-----Original Message-----
>From: Tim Funk []
>Subject: Re: [OT] WEB-INF
>Its a best practice to keep your jsp's inside of WEB-INF. Since WEB-INF/ is not
>allowed to be requested by the browser - its a simple enforcement
>mechanism to prevent users from direct access to calling jsps. 

Thanks Tim.  A lot of old reference books on servlets/JSP never really touched on this topic,
and I've read about placing resources in WEB-INF on the web somewhere since then.  I was curious
if this practice was originally by design or if the benefit was realized after the servlet
spec - such as someone deciding "hey, we should put stuff in WEB-INF".

>(Since it may be  common to have jsp's as snippets for header / footers etc -- and there
>they might be able to be called in surprising ways and exposing funny attacks)

You mention header/footers, which was in the back of my mind when I posted this.  Placing
headers/footers in WEB-INF doesn't allow me to re-use these in different webapps, without
having multiple copies of these? 

If I have a header/footer template in \webapps\ROOT\WEB-INF\templates\, I can't reference
it from  \webapps\App2\WEB-INF\templates  ... or can I?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message