portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ingo schuster <ingo.apa...@web.de>
Subject Re: Servlet 2.2 Spec. and serving files from the WEB-INF directory
Date Thu, 08 Mar 2001 13:19:55 GMT
Man, you are all quick with our +1s...

My opinion is:
The WEB-INF is the only place that is per default save in a way that *under 
no circumstances* a client can request a file and gets it delivered by the 
HTTP server. This is very important with respect to security, and I 
wouldn't want to place any file that doesn't need to be served by the HTTP 
server somewhere else - unless there is a *very* good reason for doing so. 
This includes JSPs, they may contain comments and code that must not be 
viewed by clients. (The same holds true for logs, nobody apart the system 
administrators should be able to read them.)

"No file contained in the WEB-INF directory may be served directly to a 
client." means that it is not possible to send a request 
"http://myserver/myapp/WEB-INF/fileXY" and get it delivered *by the HTTP 
server*. A servlet, that receives a request under a different URL is of 
course allowed to read and deliver this file. It is also allowed to forward 
the request to another servlet in the WEB-INF/lib directory. JSPs are 
conceptually almost the same as servlets and I'd say that the servlet can 
_of course_ forward the request to a JSP below WEB-INF. (David what did you 
mean by "bug in the servlet container". Does this vendor regard it as a bug 
if it's not possible to forward the requests to JSPs below WEB-INF?)
In short: I can't see how template processing is a _direct_ serving of a 
file - don't think that's fuzzy at all. Direct serving is the HTTP server 
picking up a file and delivering it, with no webapp code working inbetween.
A second argument: if we move the templates up to the web-root and protect 
them so that they can't be requested by a client directly -- then where is 
the difference to putting them in the WEB-INF??

So I'm -1 for moving the templates to the web root. We only risk that we 
get additional problems with securing the directory there.



Writing in the WEB-INF is a problem, I can see this. I'm +1 for moving the 
cache to the work area - it is temporary data anyway.
Regarding the logs and the psml, I'm not sure what to do, I can see that 
they shouldn't be below WEB-INF, but I don't like to place them in a temp 
directory (that's what the work area is) - for production that's 
inacceptable. I agree with Santiago that a DB/LDAP would be the best place 
for a serious installation, but for development, I can't think of a really 
good place...


To sumarize: I'm

-1 for moving the 'templates' to the web root,
+1 for leaving them where thy are
-1 for moving the 'logs' to the web root,
+0 for moving them to the work area,
-0 for moving the 'cache' to the web root
+1 for moving them to the work area,

+1 for moving the psml out of WEB-INF
(-1 for moving them to the web root)
... no idea where to put them. A BLOB in the DB?


ingo.


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org


Mime
View raw message