Re: tomcat serves .jsp file contained in WEB-INF
From: "Craig R. McClanahan" <[EMAIL PROTECTED]> > It's legal to access either of these URLs, however, in the following ways: > RequestDispatcher rd = > getServletContext().getRequestDispatcher("/WEB-INF/inside.jsp"); > rd.forward(request, response); Is the ability to request dispatch to a .jsp inside WEB-INF part of the Servlet 2.2 spec or a tomcat specific feature? I ask because when I read it only said that direct requests to WEB-INF were disallowed and did not say anything about request dispatches. In addition, I know for a fact that jRun 3.0 does not allow request dispatches to WEB-INF. -- Richard F. Wan email: [EMAIL PROTECTED] Phone: 403 263 3287 Fax: 403 265 5690 Servidium Inc. Suite 800, 840 7th Ave SW Calgary, Alberta, Canada T2P 3G2
RE: tomcat serves .jsp file contained in WEB-INF
This was fixed in Tomcat 3.2.1 and I've verified that Tomcat 3.2.2 does not serve the JSP file in WEB-INF either. > -Original Message- > From: Richard Wan [mailto:[EMAIL PROTECTED]] > Sent: Thursday, May 10, 2001 4:20 PM > To: Craig R. McClanahan; [EMAIL PROTECTED] > Subject: Re: tomcat serves .jsp file contained in WEB-INF > > > From: "Craig R. McClanahan" <[EMAIL PROTECTED]> > > > http://machine:port/appname/WEB-INF/inside.jsp would get served but > > > http://machine:port/appname/WEB-INF/inside.html would not? > > Neither one should be served back to a direct client request for these > > URLs. The server is prohibited from returning anything under > "WEB-INF" or > > "META-INF". > > > I've attached a small (4k) .war file which under tomcat 3.2 appears to > violate this rule. > Namely, direct browser requests to WEB-INF/inside.jsp are served. > Is this a known bug? Have I found a bug? or am I just crazy? > > > It's legal to access either of these URLs, however, in the > following ways: > > * As the destination of a RequestDispatcher.forward() or include(): > > > > RequestDispatcher rd = > > getServletContext().getRequestDispatcher("/WEB-INF/inside.jsp"); > > rd.forward(request, response); > > > Excellent, this is precisely what I was hoping. > > -- > Richard F. Wan > email: [EMAIL PROTECTED] > Phone: 403 263 3287 > Fax: 403 265 5690 > Servidium Inc. Suite 800, 840 7th Ave SW > Calgary, Alberta, Canada T2P 3G2 > >
Re: tomcat serves .jsp file contained in WEB-INF
From: "Craig R. McClanahan" <[EMAIL PROTECTED]> > > http://machine:port/appname/WEB-INF/inside.jsp would get served but > > http://machine:port/appname/WEB-INF/inside.html would not? > Neither one should be served back to a direct client request for these > URLs. The server is prohibited from returning anything under "WEB-INF" or > "META-INF". I've attached a small (4k) .war file which under tomcat 3.2 appears to violate this rule. Namely, direct browser requests to WEB-INF/inside.jsp are served. Is this a known bug? Have I found a bug? or am I just crazy? > It's legal to access either of these URLs, however, in the following ways: > * As the destination of a RequestDispatcher.forward() or include(): > > RequestDispatcher rd = > getServletContext().getRequestDispatcher("/WEB-INF/inside.jsp"); > rd.forward(request, response); Excellent, this is precisely what I was hoping. -- Richard F. Wan email: [EMAIL PROTECTED] Phone: 403 263 3287 Fax: 403 265 5690 Servidium Inc. Suite 800, 840 7th Ave SW Calgary, Alberta, Canada T2P 3G2 rwsample.war
Re: tomcat serves .jsp file contained in WEB-INF
On Thu, 10 May 2001, Richard Wan wrote: > Is the following a bug or a part of the Servlet 2.2 spec? > > http://machine:port/appname/WEB-INF/inside.jsp would get served but > http://machine:port/appname/WEB-INF/inside.html would not? > Neither one should be served back to a direct client request for these URLs. The server is prohibited from returning anything under "WEB-INF" or "META-INF". It's legal to access either of these URLs, however, in the following ways: * Inside a servlet, using something like this: InputStream is = getServletContext().getResourceAsStream("/WEB-INF/web.xml"); * As the destination of a RequestDispatcher.forward() or include(): RequestDispatcher rd = getServletContext().getRequestDispatcher("/WEB-INF/inside.jsp"); rd.forward(request, response); or RequestDispatcher rd = getServletContext().getRequestDispatcher("/WEB-INF/inside.html"); rd.include(request, response); > -- > Richard F. Wan Craig McClanahan