I've read that if you store your JSP files under the WEB-INF folder it blocks access to html resources (CSS etc).. What's the work around to ensure the JSP has access to all the resources it still needs?
Tim On Sat, 29 Jan 2005 10:20:25 -0500, David G. Friedman <[EMAIL PROTECTED]> wrote: > Frank, > > I agree with you when a JSP is just a template. However, may people mix > JSP's with scriplets and other code nibblets. Having items such as those as > publicly accessible can cause security and functionality issues. Luckily, I > myself haven't needed to put scriptlets in my JSP's though I still put my > JSP's, used as (tiles) display templates, under /WEB-INF/pages. > > Regards, > One "David"'s $0.02 worth > > -----Original Message----- > From: Frank W. Zammetti [mailto:[EMAIL PROTECTED] > Sent: Saturday, January 29, 2005 9:07 AM > To: Struts Users Mailing List > Subject: Re: Blocking direct access to JSPs > > My argument against it is that WEB-INF is meant to be configuration > information and "support files", and while I agree with viewing JSPs as > templates, I don't view them as support files either. Let me put it > another way... WEB-INF should be things that are not > application-specific, except for configuration files and libraries. > > Also, if a JSP is just a template, surely it won't work without > something on the server having been executed, right? Therefore, what's > the harm if it's exposed anyway? I suppose you could argue you wouldn't > even want to expose a stack trace, but it depends how far you want to > carry the argument. Of course, you could always do: > > <% if (request.getAttribute("cameFromServer") != null) { %> > // The page here > <% } %> > > Sure, it requires two lines in all JSPs, but it should solve the problem. > > Anyway, it's just my feeling on it. > > -- > Frank W. Zammetti > Founder and Chief Software Architect > Omnytex Technologies > http://www.omnytex.com > > William Stranathan wrote: > > We had this discussion a lot last week, and it seems to be somewhat > > divided on whether JSP's belong in WEB-INF. What was your compelling > > argument AGAINST it? > > > > My compelling argument FOR it has always been that WEB-INF is where > > application artifacts that are not complete web artifacts belong. When > > writing in Struts (pseudo-MVC er Model II or whatever you like to call > > it), JSP is NOT web-ready - it's only template data - just like if you > > had an email template that had the blanks filled in. > > > > Of course, I don't put my JSP's DIRECTLY under WEB-INF - usually have > > them broken out by the type of template - web, mobile, email, etc. > > > > w > > > > Tim Christopher wrote: > > > >> Hi, > >> > >> I would like to block direct access to jsp files, and from what I've > >> read the best practice appears to be setting a security-constraint > >> within the web.xml file. (As opposed to storing all *.jsp files > >> within the WEB-INF folder, though please correct me if that's wrong). > >> > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
