>-----Original Message----- >From: Tim Funk [mailto:funk...@apache.org] >Subject: Re: [OT] WEB-INF > >Its a best practice to keep your jsp's inside of WEB-INF. Since WEB-INF/ is not >allowed to be requested by the browser - its a simple enforcement >mechanism to prevent users from direct access to calling jsps.
Thanks Tim. A lot of old reference books on servlets/JSP never really touched on this topic, and I've read about placing resources in WEB-INF on the web somewhere since then. I was curious if this practice was originally by design or if the benefit was realized after the servlet spec - such as someone deciding "hey, we should put stuff in WEB-INF". >(Since it may be common to have jsp's as snippets for header / footers etc -- >and there for >they might be able to be called in surprising ways and exposing funny attacks) You mention header/footers, which was in the back of my mind when I posted this. Placing headers/footers in WEB-INF doesn't allow me to re-use these in different webapps, without having multiple copies of these? If I have a header/footer template in \webapps\ROOT\WEB-INF\templates\, I can't reference it from \webapps\App2\WEB-INF\templates ... or can I? --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
