I found out this morning that this is a bug in iPlanet. I received the
response below from a post to the iPlanet newsgroup. I also found that the
mcom.ias newsgroup is behind iPlanet's firewall, so don't waste your time
looking for it.
Matt
-----Original Message-----
From: Klaus Stake [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 31, 2001 12:14 AM
To: Matt Raible
Subject: Re: Security Bug?? Accessing WEB-INF/web.xml from a URL
This is known bug previously discussed in the following thread (search
in the newsgroup mcom.ias):
!!From - Fri Aug 31 08:12:02 2001
!!From: [EMAIL PROTECTED] (David Ogren)
!!Newsgroups: mcom.ias
!!Subject: Can someone cross-check this sp3 security concern
Matt Raible wrote:
> I can access http://localhost/NASApp/myApp/WEB-INF/web.xml (or any other
> files in WEB-INF) from my browser! This can't be right. How do I turn this
> off?
>
> Hopefully, I can do this in the appserver, but if not, please tell me how to
> do it in the webserver. I am using iWS 4.1 & iWS 6.0 on 2 different
> machines.
>
> Thanks,
>
> Matt
>
>
--- "Paradis,_Andr�" <[EMAIL PROTECTED]> wrote:
> I have to tell you, in iPlanet app server 6.0 SP2, JSPs under WEB-INF
> are accessible from the browser
> by typing something like: http://host/NASApp/appname/WEB-INF/some.jsp.
> I tought the container where supposed to protect JSPs placed there?
>
> Andre
>
> -----Original Message-----
> From: Luna, Katherine [mailto:[EMAIL PROTECTED]]
> Sent: August 31, 2001 9:03 AM
> To: [EMAIL PROTECTED]
> Subject: Can't place JSP beneath WEB-INF in WebLogic 6.0
>
>
>
>
> Hi all.
>
> After reading the new Struts Catalogue, I would like to move all my
> jsp's beneath WEB-INF. However, as soon as I do that, WebLogic can't
> seem to find them.
>
> My struts-config.xml looks like this:
> <!-- Process a user logon -->
> <action path="/logon"
> type="com.emergis.cvconlinereport.logon.LogonAction"
> name="logonForm"
> scope="request"
> input="/logon.jsp">
> <forward name="success"
> path="/WEB-INF/pages/reportSearch.jsp"/>
> <forward name="failure" path="/logon.jsp"/>
> </action>
>
> where login.jsp was the entry page (located at the root of the app) and
> all other pages are now in WEB-INF/pages
>
> The server log file doesn't show any errors, but I get a 404 NotFound
> error instead of reportSearch.jsp
> Is there something else I need to configure to tell WebLogic 6.0 to look
> beneath WEB-INF for the jsp pages?
>
> Thanks!
>
> kat
>
>
__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com
