Re: [OT] WEB-INF
On 11.07.2013, at 17:36, André Warnier a...@ice-sa.com wrote: Leo Donahue - RDSA IT wrote: You mention header/footers, which was in the back of my mind when I posted this. Placing headers/footers in WEB-INF doesn't allow me to re-use these in different webapps, without having multiple copies of these? If I have a header/footer template in \webapps\ROOT\WEB-INF\templates\, I can't reference it from \webapps\App2\WEB-INF\templates ... or can I? There are 2 schools of thought here. One says that webapps should be independent of one another. And that's the only school of thought that the servlet spec supports (for better or worse). At the deployed application stage (vs. development) reuse is not supported at all, each web app must be self-contained. Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] WEB-INF
On 15/07/2013 10:38, Rainer Frey wrote: On 11.07.2013, at 17:36, André Warnier a...@ice-sa.com wrote: Leo Donahue - RDSA IT wrote: You mention header/footers, which was in the back of my mind when I posted this. Placing headers/footers in WEB-INF doesn't allow me to re-use these in different webapps, without having multiple copies of these? If I have a header/footer template in \webapps\ROOT\WEB-INF\templates\, I can't reference it from \webapps\App2\WEB-INF\templates ... or can I? There are 2 schools of thought here. One says that webapps should be independent of one another. And that's the only school of thought that the servlet spec supports (for better or worse). At the deployed application stage (vs. development) reuse is not supported at all, each web app must be self-contained. There was going to be support for overlays in Servlet 3.1 but that got dropped as part of dropping anything related to multi-tenancy. Generally, I think dropping the multi-tenancy stuff was a good idea. I'd prefer to see a clearer requirement for it from the user base and it is something I rarely see here and when it is seen there is usually a way to meet the requirement with existing functionality anyway. The overlap support would have been useful. The good news from a user point of view is that I re-wrote the resource implementation for Tomcat 8 with overlay support in mind. (The bad news from my point of view is the first piece of Servlet 3.1 functionality I invested time in was dropped pretty much as I finished the work. Hey ho.) The new resource implementation is still in Tomcat 8 and should make sharing content between web applications very simple. Of course, it will be Tomcat specific. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [OT] WEB-INF
-Original Message- From: Mark Thomas [mailto:ma...@apache.org] Subject: Re: [OT] WEB-INF I'd prefer to see a clearer requirement for it from the user base What about a single site with multiple webapps all laid out with the same header/footer, left/right navigation styles ? - all static content. I understand now that the build/deploy process will take care of the redundant templates. A change in one header/footer just means I redeploy every web app using it - or essentially all of them. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] WEB-INF
On 15/07/2013 15:38, Leo Donahue - RDSA IT wrote: -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Subject: Re: [OT] WEB-INF I'd prefer to see a clearer requirement for it from the user base What about a single site with multiple webapps all laid out with the same header/footer, left/right navigation styles ? - all static content. That is covered by overlays. Multi-tenancy was a lot wider than that. I understand now that the build/deploy process will take care of the redundant templates. A change in one header/footer just means I redeploy every web app using it - or essentially all of them. This should be a lot easier to handle with Tomcat 8. If this is a problem that applies to a site you manage, I'd encourage you to grab the 8.0.x source, built it and try out the new resource handling. Feedback welcome. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [OT] WEB-INF
-Original Message- From: Mark Thomas [mailto:ma...@apache.org] Subject: Re: [OT] WEB-INF ...I'd encourage you to grab the 8.0.x source, built it and try out the new resource handling. Feedback welcome. From here? http://ci.apache.org/projects/tomcat/tomcat8/docs/building.html The source download link (http://tomcat.apache.org/download-80.cgi ) says permission denied. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] WEB-INF
On 15/07/2013 17:17, Leo Donahue - RDSA IT wrote: -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Subject: Re: [OT] WEB-INF ...I'd encourage you to grab the 8.0.x source, built it and try out the new resource handling. Feedback welcome. From here? http://ci.apache.org/projects/tomcat/tomcat8/docs/building.html The source download link (http://tomcat.apache.org/download-80.cgi ) says permission denied. There is no source download yet as there has been no 8.0.x release. You'll need to check out /trunk/ from svn as per http://tomcat.apache.org/svn.html Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [OT] WEB-INF
-Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Monday, July 15, 2013 1:46 PM To: Tomcat Users List Subject: Re: [OT] WEB-INF On 15/07/2013 17:17, Leo Donahue - RDSA IT wrote: -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Subject: Re: [OT] WEB-INF ...I'd encourage you to grab the 8.0.x source, built it and try out the new resource handling. Feedback welcome. From here? http://ci.apache.org/projects/tomcat/tomcat8/docs/building.html The source download link (http://tomcat.apache.org/download-80.cgi ) says permission denied. There is no source download yet as there has been no 8.0.x release. You'll need to check out /trunk/ from svn as per http://tomcat.apache.org/svn.html Mark When you say resource handling are you referring to serving files from within a jars' META-INF/resource folder? -Andrew - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] WEB-INF
On 15/07/2013 20:09, Andrew Kujtan wrote: When you say resource handling are you referring to serving files from within a jars' META-INF/resource folder? Yes, and more. See the Tomcat docs from the CI system for details: http://ci.apache.org/projects/tomcat/tomcat8/docs/config/resources.html There was also lots of discussion on the dev list in June - Sept 2012 such as this thread: http://tomcat.markmail.org/thread/ucgknkeserel44sd Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] WEB-INF
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 7/11/13 11:36 AM, André Warnier wrote: Leo Donahue - RDSA IT wrote: -Original Message- From: Tim Funk [mailto:funk...@apache.org] Subject: Re: [OT] WEB-INF Its a best practice to keep your jsp's inside of WEB-INF. Since WEB-INF/ is not allowed to be requested by the browser - its a simple enforcement mechanism to prevent users from direct access to calling jsps. Thanks Tim. A lot of old reference books on servlets/JSP never really touched on this topic, and I've read about placing resources in WEB-INF on the web somewhere since then. I was curious if this practice was originally by design or if the benefit was realized after the servlet spec - such as someone deciding hey, we should put stuff in WEB-INF. (Since it may be common to have jsp's as snippets for header / footers etc -- and there for they might be able to be called in surprising ways and exposing funny attacks) You mention header/footers, which was in the back of my mind when I posted this. Placing headers/footers in WEB-INF doesn't allow me to re-use these in different webapps, without having multiple copies of these? If I have a header/footer template in \webapps\ROOT\WEB-INF\templates\, I can't reference it from \webapps\App2\WEB-INF\templates ... or can I? There are 2 schools of thought here. One says that webapps should be independent of one another. On that base, you /should/ duplicate these headers/footers for each webapp, so that they can still be individually modified/redeployed. And one could argue that they are probably not so big (bytewise), so the additional space required should not be a real inconvenient. The other school of thought would argue that have multiple redundant copies of something is bad, because it can lead to diverging versions etc. (And the first school of thought would then come back with a vengeance, saying that this is an issue which your deployment process should take care of). For the record, I personally am an instructor at this particular School of Thought (solve duplication issues with deployment processes). Here's why: your web application(s) will become overly complicated and fragile if you try to share resources between webapps. Fragility is IMO more expensive than the maintenance cost of a more complicated build. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJR4AZCAAoJEBzwKT+lPKRYInsP/0qPu/Yuk1Olh3bcrg5/4pIQ dl4d8q6pKHZusPzGp2d27fb7grMXXUXCXvx8qe+uswNxslSXKaqIAdtd8lYGz7b5 ppPYBsSm648DzPJ4hX2JAEk8bc1GE19nl6e702lWH0SMceFxEnxqu56XAI57DPQa 9LwUrmjPsIiw213O4S/Mc8HQcBw4FpTMx9zP1G/iW+QLNA9k+4OFjuqNN6A+56oc Tfxu3TFrgcMUv7ag7C0WEq6Pkayfz8aEcpmD/QyW4CD/UnvFSj9+XBeKOdSUhK8d tn9p62RPp8uH8AxAKnvWwtKmn8aSyGzCNGrJrLfiyZjVeMJ4LiGhsFYIe5ZNbdWr InJcn+0ebldbhOGq/ebTXS4/Z0TFFmu3Hs/zKyeJ92ln1dBslUNLuFYWVmhm5e7S o/RfSWHR6OTJ2Tb3TDhERvEbR5babxZuAlaiCquRAtqlIz4ebFMLES0atD6EPcP0 pPRE5OJytEpi0ZZ0DGjASJlBKAZu9JX1GwqcwHMmRsSYaODH7elGcL+FWRUDrABc mD5nfeHzHThdjYDt3phhNLaYjw9HxE5vVPxLb0Ga9c4PAr5W1eer3/l1otE/r4RM aLVCmeXiXGcxdKn6uQGORleXzCszaZbyRWuDAbV1O7elvwopp1olCgrHlnW3SQ8w od/iQLhZwizoMZeFOeFl =d390 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] WEB-INF
Its a best practice to keep your jsp's inside of WEB-INF. Since WEB-INF/ is not allowed to be requested by the browser - its a simple enforcement mechanism to prevent users from direct access to calling jsps. (Since it may be common to have jsp's as snippets for header / footers etc -- and there for they might be able to be called in surprising ways and exposing funny attacks) On Wed, Jul 10, 2013 at 6:08 PM, Leo Donahue - RDSA IT leodona...@mail.maricopa.gov wrote: When did it start that developers decided to place jsps in the WEB-INF directory? Was that intended from the beginning, or was it stumbled upon? Leo
RE: [OT] WEB-INF
-Original Message- From: Tim Funk [mailto:funk...@apache.org] Subject: Re: [OT] WEB-INF Its a best practice to keep your jsp's inside of WEB-INF. Since WEB-INF/ is not allowed to be requested by the browser - its a simple enforcement mechanism to prevent users from direct access to calling jsps. Thanks Tim. A lot of old reference books on servlets/JSP never really touched on this topic, and I've read about placing resources in WEB-INF on the web somewhere since then. I was curious if this practice was originally by design or if the benefit was realized after the servlet spec - such as someone deciding hey, we should put stuff in WEB-INF. (Since it may be common to have jsp's as snippets for header / footers etc -- and there for they might be able to be called in surprising ways and exposing funny attacks) You mention header/footers, which was in the back of my mind when I posted this. Placing headers/footers in WEB-INF doesn't allow me to re-use these in different webapps, without having multiple copies of these? If I have a header/footer template in \webapps\ROOT\WEB-INF\templates\, I can't reference it from \webapps\App2\WEB-INF\templates ... or can I? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] WEB-INF
Leo Donahue - RDSA IT wrote: -Original Message- From: Tim Funk [mailto:funk...@apache.org] Subject: Re: [OT] WEB-INF Its a best practice to keep your jsp's inside of WEB-INF. Since WEB-INF/ is not allowed to be requested by the browser - its a simple enforcement mechanism to prevent users from direct access to calling jsps. Thanks Tim. A lot of old reference books on servlets/JSP never really touched on this topic, and I've read about placing resources in WEB-INF on the web somewhere since then. I was curious if this practice was originally by design or if the benefit was realized after the servlet spec - such as someone deciding hey, we should put stuff in WEB-INF. (Since it may be common to have jsp's as snippets for header / footers etc -- and there for they might be able to be called in surprising ways and exposing funny attacks) You mention header/footers, which was in the back of my mind when I posted this. Placing headers/footers in WEB-INF doesn't allow me to re-use these in different webapps, without having multiple copies of these? If I have a header/footer template in \webapps\ROOT\WEB-INF\templates\, I can't reference it from \webapps\App2\WEB-INF\templates ... or can I? There are 2 schools of thought here. One says that webapps should be independent of one another. On that base, you /should/ duplicate these headers/footers for each webapp, so that they can still be individually modified/redeployed. And one could argue that they are probably not so big (bytewise), so the additional space required should not be a real inconvenient. The other school of thought would argue that have multiple redundant copies of something is bad, because it can lead to diverging versions etc. (And the first school of thought would then come back with a vengeance, saying that this is an issue which your deployment process should take care of). You /can/ probably have a single copy, and point to it from several webapps using links (or aliases ?). You'll need to be careful when undeploying webapps, that this does not delete more that what you think (e.g. the things being linked to, from that webapp). As far as I remember, that used to be an issue some time in past Tomcat versions, but still as far as I remember, this can now be fixed by some configuration parameter (which unfortunately I do not remember the name or location of; you may want to re-read this carefully : https://tomcat.apache.org/tomcat-7.0-doc/config/context.html). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] WEB-INF
On Wed, 2013-07-10 at 15:08 -0700, Leo Donahue - RDSA IT wrote: When did it start that developers decided to place jsps in the WEB-INF directory? Was that intended from the beginning, or was it stumbled upon? My guess is that it was a side effect of MVC adoption -- making views accessible only via a controller. Leo signature.asc Description: This is a digitally signed message part