struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <Craig.McClana...@eng.sun.com>
Subject Re: Struts and Orion App Server
Date Wed, 14 Jun 2000 17:16:09 GMT
Kevin Duffey wrote:

>
> Second, Struts defaults to /WEB-INF/action.xml to load the action.xml config
> file. Apparently, this is not allowed per Servlet 2.2 spec..an app can not
> access the WEB-INF dir, only the server can. I don't know how valid this is,
> but as soon as I moved action.xml to my /www folder, and in my
> WEB-INF/web.xml file set the init attribute of config to use /action.xml
> (instead of /WEB-INF/action.xml) everything worked.
>

It is perfectly acceptable for a servlet or JSP page to use the
ServletContext.getResource() call to access things in the WEB-INF subdirectory.
If your servlet container does not let you do this, it's a bug in the
container.  (The reason this directory was defined as it is in the servlet spec
was for precisely this purpose -- to hold configuration files and other things
in a well-defined place.)

What is prohibited is serving the contents of any file under WEB-INF in response
to a client request like this:

    http://www.mycompany.com/WEB-INF/action.xml

because you don't want clients to be able to snoop your configuration files.
After all, there is often sensitive information like database passwords stored
in these files.

Craig



Mime
View raw message