Yes, you could change this behavior my moving the files under WEB-INF, but I don't think being able to see these pages in the browser is a security hole.
Matt On Sun, Dec 7, 2008 at 10:20 AM, Kunal Dabir <[EMAIL PROTECTED]> wrote: > Hi, > > I am new to appfuse and to many technologies it uses (like sitemesh, > freemarker, infact struts2 itself). I am using spring-struts2-jpa stack. > While working locally i noticed that one can see the code thats put in files > under some directories outside the WEB-INF, so i checked the hosted demo, > which also shows the same behavior : > http://demo.appfuse.org/appfuse-struts/template/xhtml/controlfooter.ftl > > and some urls, if referred directly, can render unexpected (well... > expected) output like this: > http://demo.appfuse.org/appfuse-struts/decorators/default.jsp > > I am sure you must have noticed this and Although the code displayed or page > rendered improperly do not have any devastating results, I am just curious > to know that does this problem exist in all the java webapps? we can secure > these directories just like its done for the admin/, isn't it? > > PS: please excuse my English and java web development knowledge. > > Kunal > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
