Leo Donahue - RDSA IT wrote:
-----Original Message-----
From: Tim Funk [mailto:funk...@apache.org]
Subject: Re: [OT] WEB-INF
Its a best practice to keep your jsp's inside of WEB-INF. Since WEB-INF/ is not
allowed to be requested by the browser - its a simple enforcement
mechanism to prevent users from direct access to calling jsps.
Thanks Tim. A lot of old reference books on servlets/JSP never really touched on this
topic, and I've read about placing resources in WEB-INF on the web somewhere since then.
I was curious if this practice was originally by design or if the benefit was realized
after the servlet spec - such as someone deciding "hey, we should put stuff in
WEB-INF".
(Since it may be common to have jsp's as snippets for header / footers etc --
and there for
they might be able to be called in surprising ways and exposing funny attacks)
You mention header/footers, which was in the back of my mind when I posted this. Placing headers/footers in WEB-INF doesn't allow me to re-use these in different webapps, without having multiple copies of these?
If I have a header/footer template in \webapps\ROOT\WEB-INF\templates\, I can't
reference it from \webapps\App2\WEB-INF\templates ... or can I?
There are 2 schools of thought here.
One says that webapps should be independent of one another. On that base, you /should/
duplicate these headers/footers for each webapp, so that they can still be individually
modified/redeployed. And one could argue that they are probably not so big (bytewise), so
the additional space required should not be a real inconvenient.
The other school of thought would argue that have multiple redundant copies of something
is bad, because it can lead to diverging versions etc.
(And the first school of thought would then come back with a vengeance, saying that this
is an issue which your deployment process should take care of).
You /can/ probably have a single copy, and point to it from several webapps using links
(or aliases ?).
You'll need to be careful when undeploying webapps, that this does not delete more that
what you think (e.g. the things being linked to, from that webapp). As far as I remember,
that used to be an issue some time in past Tomcat versions, but still as far as I
remember, this can now be fixed by some configuration parameter (which unfortunately I do
not remember the name or location of; you may want to re-read this carefully :
https://tomcat.apache.org/tomcat-7.0-doc/config/context.html).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
