Restricting access to a WEB-INF subfolder

Google

Mailing List

Home

Forum Home

JBoss - Java Application Server

Tomcat - JSP/Servlet container

Struts - A MVC web framework

iText - An open source PDF Java Library

JDOM - JDOM XML Parser

JSP - A mailing list about Java Server Pages specification and reference

J2EE - A mailing list for Java(tm) 2 Platform, Enterprise Edition

J2EE Pattern - An interest list for Sun Java Center J2EE Pattern Catalog

Servlet - A mailing list for discussion about Sun Microsystem's Java Servlet API Technology

Struts & Hibernate

Subjects

•	JSP editor plugin for eclipse ?
•	org apache jasper JasperException: Unable to compile class for JSP
•	Tomcat: Connection reset by peer: socket write error
•	Cannot retrieve definition for form bean null
•	Struts Tiles Tutorial (free Struts training)
•	Where do I download Tomcat 4 0 6?
•	Data Access Object (DAO) pattern, example DAO 's
•	Where to download Tomcat v 4 1 24 from?
•	Tomcat 5 0 16 Requested resource not available
•	Subject: Servlet : Session invalidate
•	Oracle Connection Pooling in 3 2 2
•	Servlet action is currently unavailable
•	Tomcat/Struts Unicode Encoding/Decoding problems
•	Subject: Running a Simple JMS Example
•	Tomcat and webapplication specific java library path
•	Mapping in workers2 properties
•	org apache jasper JasperException
•	problem with html:text bean throwing exception
•	Cannot find message resources under key org apache struts action MESSAGE
•	Cannot find message resources under key org apache struts action MESSAGE
•	invalid direct reference problem with solution
•	Tool for jsp debug Try Sysdeo Eclipse Plugin
•	Tomcat 5 Cannot load JDBC driver class 'null ' SQL state: null
•	weblogic ejbc
•	java properties file
•	Jboss 3 2 3 Coyote Can 't re
•	Tomcat 5, Apache2 and mod jk2 integration problem
•	JBoss example problem new to J2EE
•	Value attribute of <html:checkbox
•	url string for connecting jboss to oracle
•	javax servlet ServletException: BeanUtils populate
•	5 0 18: Windows XP Pro vs Windows 2000
•	HTTP Status 404 The requested resource is not available

Restricting access to a WEB-INF subfolder

Restricting access to a WEB-INF subfolder

2005-01-26 - By Ben Hill

Back

Reply: 1 2 3 4

On Wed, 2005-01-26 at 01:17, Jean-Christian Imbeault wrote:

> #1- If I put the files under the web directory, a user could write a URL
> to the file and see it. Is there any way for me to restrict access to this
> directory so that only my servlet can see the files. I.e. a user needs to
> request a file through my servlet.
>
> #2- If I put the files under WEB-INF, the files are hidden from users and
> they cannot create a URL to see them. However from what I have read it
> will also not be possible to forward a request to those files. Is there
> any way for me to have my servlet forward requests to file under WEB-INF
> while at the same time make it impossible for users to create a URL to
> those files?

The spec states that you shouldn't be able to view files via the web
server. Some web servers will allow you to include resources from the
WEB-INF directory in a request, and some wont.

It's generally a bad plan to have this kind of content under your
WEB-INF directory though, and much better to have them outside of the
web root.

--
ben@(protected)
www.javacoder.net - "Java coding, from the source!"

===========================================================================
To unsubscribe, send email to listserv@(protected) and include in the body
of the message "signoff J2EE-INTEREST". For general help, send email to
listserv@(protected) and include in the body of the message "help".