struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Micael Padraig Og mac Grene <caraun...@harbornet.com>
Subject RE: Inside WEB-INF or outside WEB-INF? Struts security.
Date Sat, 20 Apr 2002 07:39:53 GMT
Exactly!  So, why do the typical examples put the jsp pages outside?

At 02:43 PM 4/19/02 -0300, you wrote:
>He means that it is more secure to place JSP files
>inside the WEB-INF directory, since it does not allow
>direct access to its files.
>So, nobody would be able to access the JSP files
>directly, and would then have to use the mapped URLs
>in struts.config.xml, which is more secure.
>
>  --- "Galbreath, Mark" <Galbreath@tessco.com>
>escreveu: > I thought I answered that.  If you have
>nothing that
> > can execute outside
> > WEB-INF, what does security matter?
> >
> > Mark
> >
> > -----Original Message-----
> > From: Micael Padraig Og mac Grene
> > [mailto:caraunltd@harbornet.com]
> > Sent: Friday, April 19, 2002 12:32 PM
> > To: Struts Users Mailing List
> > Subject: RE: Inside WEB-INF or outside WEB-INF?
> > Struts security.
> >
> >
> > Thank you for the response, but it is not responsive
> > to the question I
> > asked, I think.  My question was:
> >
> >          Most sample apps have the jsp pages and
> >          images outside the WEB-INF. Why? Isn't
> >          it more secure inside?
> >
> > So, where the servlets are ultimately put is not the
> > question, Mark.  The
> > question is why do most sample applications put the
> > jsp pages outside the
> > WEB-INF file, even in Tomcat?  That works with
> > Tomcat too.  You can put
> > them in either place, but if you do it outside you
> > use relative urls and if
> > you put them inside you use the controller
> > framework.  My question is why
> > in the world would someone use struts and then put
> > them outside the WEB-INF
> > file?
> >
> > Thanks.
> >
> > Micael
> >
> >
> > At 05:31 AM 4/19/02 -0400, you wrote:
> > >All web containers MUST support files inside
> > WEB-INF by specification.  As
> > >for JSP files, some containers, like Tomcat,
> > considers them controller
> > >component Java classes (servlets) and places them
> > in the WEB-INF/class
> > >directory by default.  Others, like JRun, consider
> > JSPs view components
> > >(they are, if used "correctly") and place them in a
> > "jsp" directory outside
> > >WEB-INF.
> > >
> > >The point is, JSPs should never have executable
> > Java scriplets in them.
> > >Programmatic functionality should consist solely of
> > tags, which hide the
> > >implementation inside WEB-INF.
> > >
> > >Mark
> > >
> > >-----Original Message-----
> > >From: Victor Hadianto [mailto:victorh@nuix.com.au]
> > >Sent: Friday, April 19, 2002 3:18 AM
> > >
> > >On Fri, 19 Apr 2002 08:20, you wrote:
> > > > Most sample apps have the jsp pages and images
> > outside the
> > > > WEB-INF.  Why?  Isn't it more secure inside?
> > >
> > >Not all web container supports files inside the
> > WEB-INF. Tomcat does.
> > >
> > >--
> > >To unsubscribe, e-mail:
> > <mailto:struts-user-unsubscribe@jakarta.apache.org>
> > >For additional commands, e-mail:
> > <mailto:struts-user-help@jakarta.apache.org>
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
> > <mailto:struts-user-unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail:
> > <mailto:struts-user-help@jakarta.apache.org>
> >
> > --
> > To unsubscribe, e-mail:
> > <mailto:struts-user-unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail:
> > <mailto:struts-user-help@jakarta.apache.org>
> >
>
>=====
>----------------------------------------
>Frederico Ferro Schuh
>fred_schuh@yahoo.com.br
>ICQ: 20486081
>
>_______________________________________________________________________________________________
>Yahoo! Empregos
>O trabalho dos seus sonhos pode estar aqui. Cadastre-se hoje mesmo no 
>Yahoo! Empregos e tenha acesso a milhares de vagas abertas!
>http://br.empregos.yahoo.com/
>
>--
>To unsubscribe, e-mail:   <mailto:struts-user-unsubscribe@jakarta.apache.org>
>For additional commands, e-mail: <mailto:struts-user-help@jakarta.apache.org>



--
To unsubscribe, e-mail:   <mailto:struts-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:struts-user-help@jakarta.apache.org>


Mime
View raw message