Keith wrote: >Users can't get at anything under web-inf by name. So it stops them running >your jsp directly or viewing their source code. >They still work because they can be referenced by a Sevlet (ie the struts >ActionServlet). (not all servers are the same here). >It's a 'rule' for commercial/senstive sites that every reference from the >browser is a symbolic ref. (eg. a webapp + a ref. to an entry in >struts-config.xml). This stops hackers/spies from viewing js source or even >knowing directory names or file names. >Looks like paranoia but I guess people have been burned. >A few years ago you could get at server directory listing from browsers & steal >files but these days this also is blocked. It's geting really boring... > > > >--- James Mitchell <[EMAIL PROTECTED]> wrote: > >>Question? >> >>What is the point of putting jsp pages in web-inf? >> >> >>Someone please correct me if I am wrong but, >> >>If I see a web application URL such as >>http://www.someweb.com/myapp/web-inf/somedir/mypage.jsp then I can only >>assume that I can also go to >> >>http://www.someweb.com/myapp/web-inf/web.xml >>or >>http://www.someweb.com/myapp/web-inf/classes/ (god forbid that you have >>"directory browsing" enabled, then I could read your database connection >>login and passwords (if avaialable, such as poolman.xml) or any of your >>resource bundle files. >> >>Or worse, I could download your .class and .jar files. >> >> >> >> >> >> >>P.S. Did you actually click on those links? They won't work because I made >>them up:-) >> >> >>James Mitchell >>Software Engineer >>Open-Tools.org >>Home Phone (770) 822-3359 >>Cell Phone: (678) 910-8017 >> >> >>-----Original Message----- >>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] >>Sent: Friday, February 15, 2002 10:04 AM >>To: Struts Users Mailing List >>Subject: <no subject> >> >> >>depends on where your pages are. >>If you have them in the root web app dir, use: >> >><frameset> >> <frame src="myNavigation.jsp"> >> <frame src="myContent.jsp"> >></frameset> >> >>If you have it , let's say under <root>/myjsps, use: >> >><frameset> >> <frame src="myjsps/myNavigation.jsp"> >> <frame src="myjsps/myContent.jsp"> >></frameset> >> >>Having the jsps under WEB-INF doesn't work on some servers WL, for instance. >> >>From: Henry Lu >>Subject: Re: frame page src=? >>Date: Fri, 15 Feb 2002 05:59:28 -0800 >> >>---------------------------------------------------------------------------- >>---- >> >>No it doesn't work either. Could you show me a working examples? >> >> >>--------------------------------------------------------------------------- >>Henry Lu >>MCIT phone: (734) 936-2063 >>University of Michigan Medical Center fax: (734) 763-4372 >> >>On Fri, 15 Feb 2002, Jin Bal wrote: >> >>>how about >>>src=something.do >>>----- Original Message ----- >>>From: "Henry Lu" <[EMAIL PROTECTED]> >>>To: <[EMAIL PROTECTED]> >>>Sent: Friday, February 15, 2002 1:34 PM >>>Subject: frame page src=? >>> >>> >>>>How to specify src path in the frame tag under struts? >>>> >>>>I did the following and it didn't work >>>> >>>>src="/WEB-INF/jsp/login/blank.jsp" >>>>neither >>>>src="/do/someting" >>>>neither >>>>src="/jsp/login/blank.jsp" >>>> >>>>Could you show me an example? >>>> >>>> >>>-------------------------------------------------------------------------- >>>- >>> >>>>Henry Lu >>>>MCIT phone: (734) 936-2063 >>>>University of Michigan Medical Center fax: (734) 763-4372 >>>> >>>> >>>>-- >>>>To unsubscribe, e-mail: >>>> >>><mailto:[EMAIL PROTECTED]> >>> >>>>For additional commands, e-mail: >>>> >>><mailto:[EMAIL PROTECTED]> >>> >>>> >>>-- >>>To unsubscribe, e-mail: >>> >><mailto:[EMAIL PROTECTED]> >> >>>For additional commands, e-mail: >>> >><mailto:[EMAIL PROTECTED]> >> >> >>-- >>To unsubscribe, e-mail: >><mailto:[EMAIL PROTECTED]> >>For additional commands, e-mail: >><mailto:[EMAIL PROTECTED]> >> >> >> >>____________________________________________________________________________ >>__ >>Seien Sie dabei und sichern Sie sich 100% Leistung, 100% Prmie und >>100% Zufriedenheit. Jetzt unter http://club.web.de/?mc=021105 >> >> >>-- >>To unsubscribe, e-mail: >><mailto:[EMAIL PROTECTED]> >>For additional commands, e-mail: >><mailto:[EMAIL PROTECTED]> >> >> >>_________________________________________________________ >>Do You Yahoo!? >>Get your free @yahoo.com address at http://mail.yahoo.com >> >> >>-- >>To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> >>For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> >> > > >__________________________________________________ >Do You Yahoo!? >Yahoo! Sports - Coverage of the 2002 Olympic Games >http://sports.yahoo.com > >-- >To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> >For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > Hi you may believe this is wrong albiet i have been briefed that the WEB-INF is accessable if you are running the service under W$ NT thus your classes,jsp and beans etc can be viewed. Apparently NT4 does not know the difference between Web-Inf ,WEB-INF or web-inf . thus this may now have been rectified. Please let me know otherwise.
Note "Could be the case of careless whispers" Cheers Chuck Amadi Systems Programmer. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>