Re: tomcat serves .jsp file contained in WEB-INF
From: "Craig R. McClanahan" <[EMAIL PROTECTED]>
> It's legal to access either of these URLs, however, in the following ways:
> RequestDispatcher rd =
> getServletContext().getRequestDispatcher("/WEB-INF/inside.jsp");
> rd.forward(request, response);
Is the ability to request dispatch to a .jsp inside WEB-INF part
of the Servlet 2.2 spec or a tomcat specific feature? I ask because
when I read it only said that direct requests to WEB-INF were
disallowed and did not say anything about request dispatches.
In addition, I know for a fact that jRun 3.0 does not allow request
dispatches to WEB-INF.
--
Richard F. Wan
email: [EMAIL PROTECTED]
Phone: 403 263 3287
Fax: 403 265 5690
Servidium Inc. Suite 800, 840 7th Ave SW
Calgary, Alberta, Canada T2P 3G2
RE: tomcat serves .jsp file contained in WEB-INF
This was fixed in Tomcat 3.2.1 and I've verified that Tomcat 3.2.2 does not
serve the JSP file in WEB-INF either.
> -Original Message-
> From: Richard Wan [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, May 10, 2001 4:20 PM
> To: Craig R. McClanahan; [EMAIL PROTECTED]
> Subject: Re: tomcat serves .jsp file contained in WEB-INF
>
>
> From: "Craig R. McClanahan" <[EMAIL PROTECTED]>
> > > http://machine:port/appname/WEB-INF/inside.jsp would get served but
> > > http://machine:port/appname/WEB-INF/inside.html would not?
> > Neither one should be served back to a direct client request for these
> > URLs. The server is prohibited from returning anything under
> "WEB-INF" or
> > "META-INF".
>
>
> I've attached a small (4k) .war file which under tomcat 3.2 appears to
> violate this rule.
> Namely, direct browser requests to WEB-INF/inside.jsp are served.
> Is this a known bug? Have I found a bug? or am I just crazy?
>
> > It's legal to access either of these URLs, however, in the
> following ways:
> > * As the destination of a RequestDispatcher.forward() or include():
> >
> > RequestDispatcher rd =
> > getServletContext().getRequestDispatcher("/WEB-INF/inside.jsp");
> > rd.forward(request, response);
>
>
> Excellent, this is precisely what I was hoping.
>
> --
> Richard F. Wan
> email: [EMAIL PROTECTED]
> Phone: 403 263 3287
> Fax: 403 265 5690
> Servidium Inc. Suite 800, 840 7th Ave SW
> Calgary, Alberta, Canada T2P 3G2
>
>
Re: tomcat serves .jsp file contained in WEB-INF
From: "Craig R. McClanahan" <[EMAIL PROTECTED]>
> > http://machine:port/appname/WEB-INF/inside.jsp would get served but
> > http://machine:port/appname/WEB-INF/inside.html would not?
> Neither one should be served back to a direct client request for these
> URLs. The server is prohibited from returning anything under "WEB-INF" or
> "META-INF".
I've attached a small (4k) .war file which under tomcat 3.2 appears to
violate this rule.
Namely, direct browser requests to WEB-INF/inside.jsp are served.
Is this a known bug? Have I found a bug? or am I just crazy?
> It's legal to access either of these URLs, however, in the following ways:
> * As the destination of a RequestDispatcher.forward() or include():
>
> RequestDispatcher rd =
> getServletContext().getRequestDispatcher("/WEB-INF/inside.jsp");
> rd.forward(request, response);
Excellent, this is precisely what I was hoping.
--
Richard F. Wan
email: [EMAIL PROTECTED]
Phone: 403 263 3287
Fax: 403 265 5690
Servidium Inc. Suite 800, 840 7th Ave SW
Calgary, Alberta, Canada T2P 3G2
rwsample.war
Re: tomcat serves .jsp file contained in WEB-INF
On Thu, 10 May 2001, Richard Wan wrote:
> Is the following a bug or a part of the Servlet 2.2 spec?
>
> http://machine:port/appname/WEB-INF/inside.jsp would get served but
> http://machine:port/appname/WEB-INF/inside.html would not?
>
Neither one should be served back to a direct client request for these
URLs. The server is prohibited from returning anything under "WEB-INF" or
"META-INF".
It's legal to access either of these URLs, however, in the following ways:
* Inside a servlet, using something like this:
InputStream is =
getServletContext().getResourceAsStream("/WEB-INF/web.xml");
* As the destination of a RequestDispatcher.forward() or include():
RequestDispatcher rd =
getServletContext().getRequestDispatcher("/WEB-INF/inside.jsp");
rd.forward(request, response);
or
RequestDispatcher rd =
getServletContext().getRequestDispatcher("/WEB-INF/inside.html");
rd.include(request, response);
> --
> Richard F. Wan
Craig McClanahan
