Read the specification, section 9.4:
A special directory exists within the application hierarchy named “WEB-INF”.
This directory
contains all things related to the application that aren’t in the document
root of the application. It is
important to note that the WEB-INF node is not part of the public document
tree of the application.
No file contained in the WEB-INF directory may be served directly to a
client.
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, May 31, 2001 8:06 AM
> To: [EMAIL PROTECTED]
> Subject: 3.2.2 - handling requests for WEB-INF/*
>
>
> I've taken a quick crawl through the code and want to re-suggest
> a possible
> cause for the problems we're seeing on 3.2.2 dealing with requests to the
> WEB-INF directory.
>
> First of all, this is really the first time I've been through the tomcat
> code, and I've done it quickly so there's a high chance for
> error. However,
> I've tracked the following path:
>
> ContextManager.service
> ContextManager.internalService
> ContextManager.processRequest
> SimpleMapper1.requestMap
>
> My assumption here is that ContextManager.service is a main entry
> point...it
> appears to be called by almost everything AND has a comment to
> that effect.
> From that point, there are not many branch points until you reach
> SimpleMapper1.requestMap. The first thing requestMap does is check if
> you're asking about the WEB-INF directory and returns 404 if you are. So,
> my working theorey is that anything that calls ContextManager.service,
> whether its loading a class from a .jar file, getting a configuration
> file...anything...will be vetoed by SimpleMapper1.requestMap.
>
> A fix I would suggest - change SimpleMapper1.requestMap to only veto
> requests to the "standard" tomcat files - directory browsing and web.xml.
> We can fine tune it later, but this appears to be a quick dirty fix.
> Someone more familar with the code could verify it for me: am I
> way in left
> field?
>
> Brian Flynn
