On Tue, 22 Jan 2002, Anton Brazhnyk wrote:
> Date: Tue, 22 Jan 2002 15:50:33 +0200
> From: Anton Brazhnyk <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: RE: applet deployment/access
>
> Hi,
>
> > -----Original Message-----
> > From: cazza [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, January 22, 2002 3:27 PM
> > To: [EMAIL PROTECTED]
> > Subject: applet deployment/access
> >
> >
> > I have a servlet that generates html which contains a reference to the
> > applet class under tomcat (the tomcat location is webapps/myapp/applet/)
> >
> > I understand that MyApplet.class cannot be under the web-inf directory for
> > security reasons, but I have two questions;
>
> I don't know any security reasons for applets to be not allowed in WEB-INF,
> there is only one reason for them: User won't be able to access them there.
> Applets are executed on client side, so browser's JVM should download .class
>
The security reason is that no client request (applet or not) is allowed
to access any resources under "/WEB-INF" (see Section 9.6 of the Servlet
2.3 spec, which you can get from
<http://java.sun.com/products/servlet/download.html>).
Applet developers must arrange that all files needed by the applet
(including the class or JAR files themselves) are available from someplace
in the web application *other* than the WEB-INF directory.
Craig McClanahan
--
To unsubscribe: <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>
