struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Frederico Schuh <fred_sc...@yahoo.com.br>
Subject RE: Inside WEB-INF or outside WEB-INF? Struts security.
Date Fri, 19 Apr 2002 17:43:32 GMT
He means that it is more secure to place JSP files
inside the WEB-INF directory, since it does not allow
direct access to its files.
So, nobody would be able to access the JSP files
directly, and would then have to use the mapped URLs
in struts.config.xml, which is more secure.

 --- "Galbreath, Mark" <Galbreath@tessco.com>
escreveu: > I thought I answered that.  If you have
nothing that
> can execute outside
> WEB-INF, what does security matter?
> 
> Mark
> 
> -----Original Message-----
> From: Micael Padraig Og mac Grene
> [mailto:caraunltd@harbornet.com]
> Sent: Friday, April 19, 2002 12:32 PM
> To: Struts Users Mailing List
> Subject: RE: Inside WEB-INF or outside WEB-INF?
> Struts security.
> 
> 
> Thank you for the response, but it is not responsive
> to the question I 
> asked, I think.  My question was:
> 
>          Most sample apps have the jsp pages and
>          images outside the WEB-INF. Why? Isn't
>          it more secure inside?
> 
> So, where the servlets are ultimately put is not the
> question, Mark.  The 
> question is why do most sample applications put the
> jsp pages outside the 
> WEB-INF file, even in Tomcat?  That works with
> Tomcat too.  You can put 
> them in either place, but if you do it outside you
> use relative urls and if 
> you put them inside you use the controller
> framework.  My question is why 
> in the world would someone use struts and then put
> them outside the WEB-INF 
> file?
> 
> Thanks.
> 
> Micael
> 
> 
> At 05:31 AM 4/19/02 -0400, you wrote:
> >All web containers MUST support files inside
> WEB-INF by specification.  As
> >for JSP files, some containers, like Tomcat,
> considers them controller
> >component Java classes (servlets) and places them
> in the WEB-INF/class
> >directory by default.  Others, like JRun, consider
> JSPs view components
> >(they are, if used "correctly") and place them in a
> "jsp" directory outside
> >WEB-INF.
> >
> >The point is, JSPs should never have executable
> Java scriplets in them.
> >Programmatic functionality should consist solely of
> tags, which hide the
> >implementation inside WEB-INF.
> >
> >Mark
> >
> >-----Original Message-----
> >From: Victor Hadianto [mailto:victorh@nuix.com.au]
> >Sent: Friday, April 19, 2002 3:18 AM
> >
> >On Fri, 19 Apr 2002 08:20, you wrote:
> > > Most sample apps have the jsp pages and images
> outside the
> > > WEB-INF.  Why?  Isn't it more secure inside?
> >
> >Not all web container supports files inside the
> WEB-INF. Tomcat does.
> >
> >--
> >To unsubscribe, e-mail:
> <mailto:struts-user-unsubscribe@jakarta.apache.org>
> >For additional commands, e-mail:
> <mailto:struts-user-help@jakarta.apache.org>
> 
> 
> 
> --
> To unsubscribe, e-mail:
> <mailto:struts-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
> <mailto:struts-user-help@jakarta.apache.org>
> 
> --
> To unsubscribe, e-mail:  
> <mailto:struts-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
> <mailto:struts-user-help@jakarta.apache.org>
>  

=====
----------------------------------------
Frederico Ferro Schuh
fred_schuh@yahoo.com.br
ICQ: 20486081

_______________________________________________________________________________________________
Yahoo! Empregos
O trabalho dos seus sonhos pode estar aqui. Cadastre-se hoje mesmo no Yahoo! Empregos e tenha
acesso a milhares de vagas abertas!
http://br.empregos.yahoo.com/

--
To unsubscribe, e-mail:   <mailto:struts-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:struts-user-help@jakarta.apache.org>


Mime
View raw message