struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Struts and Orion App Server
Date Wed, 14 Jun 2000 17:16:09 GMT
Kevin Duffey wrote:

> Second, Struts defaults to /WEB-INF/action.xml to load the action.xml config
> file. Apparently, this is not allowed per Servlet 2.2 app can not
> access the WEB-INF dir, only the server can. I don't know how valid this is,
> but as soon as I moved action.xml to my /www folder, and in my
> WEB-INF/web.xml file set the init attribute of config to use /action.xml
> (instead of /WEB-INF/action.xml) everything worked.

It is perfectly acceptable for a servlet or JSP page to use the
ServletContext.getResource() call to access things in the WEB-INF subdirectory.
If your servlet container does not let you do this, it's a bug in the
container.  (The reason this directory was defined as it is in the servlet spec
was for precisely this purpose -- to hold configuration files and other things
in a well-defined place.)

What is prohibited is serving the contents of any file under WEB-INF in response
to a client request like this:

because you don't want clients to be able to snoop your configuration files.
After all, there is often sensitive information like database passwords stored
in these files.


View raw message