Good point about the security considerations... In fact, I seem to remember a recent story where a company had something along these lines in place, but they didn't harden it as well as they should. In the end, people were able to construct query strings that got them very sensitive information (like CC #'s) from this function that they should never have been able to get at. It's a definite concern. I think it's relatively easy to deal with, but it is a valid concern for sure.
-- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies http://www.omnytex.com
Jason Lea wrote:
I hide JSPs under WEB-INF, but I leave my images, .css and .js files outside so they can be served by the web server.
I use forwards in struts to handle url rewriting, instead of linking directly to the css from a .jsp eg
<forward name="baseCSS" path="/css/base.css"/>
Unless there is a reason (eg restricted access etc) I wouldn't use an action to serve these types of files. The action would have to make sure you can't traverse directories, set content mime-types etc.
I imagine it would iterfere with a browsers if-modified requests causing a browser to continually download images/css/js pages every request instead of caching them.
Frank W. Zammetti wrote:
Jarnot Voytek Contr AU/SC wrote: > Right, js, css, and image files don't belong under web-inf.
I know someone who will disagree vigorously (where are you D.J.?!?) :)
Seriously though, many people DO use this technique, and you can in fact put everything under it, even the js, css, img, etc. content...
For the OP... as you found out, you can't just link to anything under WEB-INF, as is the intention of that folder's protection. What you will need to do is build yourself an Action that returns the requested item, then point everything at that Action.
So, something like:
<img src="GetItemAction.do?img=myImage.gif">
... will call your Action, which presumably retrieves the referenced image and returns it. You can do this for stylesheets, scripts, whatever else you want.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
