On Thu, Jun 18, 2009 at 11:25 AM, Girish Naik <girish.n...@gmail.com> wrote:
> yes it will not show the directory listing. but how now a user has to guess > ur jsp name and its folder location which i think is difficult. And keeping > the jsps inside WEB-INF will make the coder to add the WEB-INF before the > page location. :( > > Everyone should know that "obscurity is not security". Your users may not need to guess, the disgruntled programmer you fired last week will publish all your security weaknesses on an anonymous blog so everyone knows. At one point in time a few years ago you couldn't count on all web servers obeying the "don't expose WEB-INF" rule. Be sure you test your solution with the web server you will be using. > > Regards, > --------------------------------------------------------- > Girish Naik > Mobile:-+91-09740091638 > girish.n...@gmail.com > George Carlin< > http://www.brainyquote.com/quotes/authors/g/george_carlin.html> > - "Electricity is really just organized lightning." > > On Thu, Jun 18, 2009 at 8:45 PM, Jan T. Kim <j....@uea.ac.uk> wrote: > > > On Thu, Jun 18, 2009 at 07:47:45PM +0530, Girish Naik wrote: > > > Go to Tomcat Home/conf/web.xml file. in this file put listings as > false. > > > <init-param> > > > <param-name>listings</param-name> > > > <param-value>false</param-value> > > > </init-param> > > > > > > Regards, > > > --------------------------------------------------------- > > > Girish Naik > > > > doesn't that still allow access by direct URL to the JSP? I think > > it disables directory listings only. > > > > Anyway, perhaps the easiest solution is to put such JSPs in a > subdirectory > > of WEB-INF. The web container must not expose that hierarchy via HTTP > > (see servlet spec, section 9.5). I like to keep my JSPs in /WEB-INF/views > . > > > > Best regards, Jan > > >
