Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Moving resources under WEB-INF

I have a web application that contains hundreds of HTML, JavaScript and image files. These files are located under the root directory:

my_root--
    -- html
    -- js
    -- images

These folders contain some subfolders.

From a security reason I need to move all these resources under the WEB-INF folder so they will not be directly accessible.

Currently JSP and servlet files are already under the WEB-INF folder.

What is the easiest method for me to safely move all HTML/JavaScript/images folders under the WEB-INF without breaking all links/forwarding to resources in these folders and make sure these resources are not directly accessible?

I am using WebSphere and WebLogic servers.

like image 997
Ronen Avatar asked Aug 23 '12 08:08

Ronen


People also ask

What is WEB xml used for?

web. xml defines mappings between URL paths and the servlets that handle requests with those paths. The web server uses this configuration to identify the servlet to handle a given request and call the class method that corresponds to the request method.

What is Webapp WEB-INF?

WEB-INF. This directory, which is contained within the Document Root, is invisible from the web container. It contains all resources needed to run the application, from Java classes, to JAR files and libraries, to other supporting files that the developer does not want a web user to access.

Where does WEB xml go?

The web. xml file is located in the WEB-INF directory of your Web application. The first entry, under the root servlet element in web. xml, defines a name for the servlet and specifies the compiled class that executes the servlet.


1 Answers

What is the easiest method for me to safely move all html/js/images folders under the WEB-INF without breaking all links/forwarding to resources in these folders and make sure these resources are not directly accessible?

You're making a thiniking mistake here. HTML/JS/image (and CSS) resources need to be directly accessible anyway. For JSPs the story is different, some of them, if not all, need to be preprocessed by a servlet (e.g. to retrieve some list from DB for display in a table). If those JSPs were been accessed directly, then that servlet step would be skipped altogether, which is absolutely not what you want (the JSPs end up "empty"; without any data from the DB). That's why they should be hidden in /WEB-INF to prevent direct access without going through a preprocessing servlet first. Also, in case of servlet based MVC frameworks, this way the whole MVC framework process (collecting request parameters, converting/validating them, updating model values, invoking actions, etc) would be skipped.

Your concrete functional requirement is not exactly clear (the whole question makes at its own no sense; the answer is just "don't do that"), but if you actually want to restrict access to static resources which don't need to be preprocessed by a servlet at all to certain users only, then you need to implement an authentication/login system. You can utilize container managed authentication or homegrow a Filter for this.

like image 135
BalusC Avatar answered Oct 11 '22 23:10

BalusC