"Danny.Coward" wrote:
> Since version 2.2 the specification has been explicit that web containers
> should not serve back anything that is in your WEB-INF/ archive entry in the
> WAR as a result of a direct call from a client. The reason was to protect the
> integrity of the web application. Some folks use the WEB-INF/ directory for
> storing app specific configuration information which may be sensitive too.
> They can of course retrieve this within a Servlet using the getResource() API
> on the ServletContext.
>
Tomcat 3.2 and 4.0 both successfully protect static files stored under /WEB-INF,
no matter what upper-lower case combination you try on Windows files.
>
> I see you cross posted to the Tomcat team so they are aware of it - thanks -
> I'm sure Craig has it under control.
>
Well, I thought so until some wise alec put a JSP page underneath /WEB-INF and
Tomcat executed it :-(. Will be fixed soon for 3.2 and 4.0 both.
>
> - Danny
>
Craig
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html