RE: Inside WEB-INF or outside WEB-INF? Struts security. SWF FILES

2002-04-20 Thread Craig R. McClanahan 



On Sat, 20 Apr 2002, Micael Padraig Og mac Grene wrote:

> Date: Sat, 20 Apr 2002 15:25:15 -0700
> From: Micael Padraig Og mac Grene <[EMAIL PROTECTED]>
> Reply-To: Struts Users Mailing List <[EMAIL PROTECTED]>
> To: Struts Users Mailing List <[EMAIL PROTECTED]>
> Subject: RE: Inside WEB-INF or outside WEB-INF? Struts security. SWF
> FILES
>
> You seem to be suggesting, Craig, that you find putting them outside
> WEB-INF should be fine.  Is that a correct reading of your comments?  If
> so, would you please expand on that?  I am dealing with some relatively
> complex issues of reference between pages, including swf template files
> with arrays accessing other swf photo files, without, of course, including
> forwarding mechanisms available to struts.  I would like to do this inside
> of WEB-INF by instinct, thinking it would enhance security, but that may
> not be an option?  Thanks for any help on this.
>

It depends on what you mean by "enhance security".

The only thing different about putting JSP pages inside /WEB-INF versus
outside is whether a client can directly request one of your pages with a
URL.  For example, this URL will work (assuming there's a page there):

  http://localhost:8080/myapp/foo.jsp

whereas this one will never work from a browser:

  http://localhost:8080/myapp/WEB-INF/foo.jsp

If you don't have users who do this sort of thing (or you don't care if
they do or not, because the app won't work correctly for them anyway),
then there is no difference in where the JSP pages are located.

Craig


> At 01:59 PM 4/20/02 -0700, you wrote:
>
>
> >On Sat, 20 Apr 2002, Micael Padraig Og mac Grene wrote:
> >
> > > Date: Sat, 20 Apr 2002 00:39:53 -0700
> > > From: Micael Padraig Og mac Grene <[EMAIL PROTECTED]>
> > > Reply-To: Struts Users Mailing List <[EMAIL PROTECTED]>
> > > To: Struts Users Mailing List <[EMAIL PROTECTED]>
> > > Subject: RE: Inside WEB-INF or outside WEB-INF? Struts security.
> > >
> > > Exactly!  So, why do the typical examples put the jsp pages outside?
> > >
> >
> >The requirement that JSP pages work from inside /WEB-INF is not
> >particularly clear in the Servlet 2.2 and JSP 1.1 specs, and in fact they
> >do not work in some containers.  To minimize startup problems, that is why
> >the Struts examples have them outside.
> >
> >Additionally, some Struts-based webapps do direct links from one JSP page
> >to another, when there is no need for any processing logic in between.
> >This won't work if they are inside.
> >
> >Finally, on't forget that, even if you put your own JSP pages inside the
> >/WEB-INF directory, you'll need to leave the app home page (usually
> >index.jsp) outside so that it is accessible.
> >
> >Craig
> >
> >
> >--
> >To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
> >For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
>
>
> --
> To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
>


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: Inside WEB-INF or outside WEB-INF? Struts security. SWF FILES

2002-04-20 Thread Micael Padraig Og mac Grene 

You seem to be suggesting, Craig, that you find putting them outside 
WEB-INF should be fine.  Is that a correct reading of your comments?  If 
so, would you please expand on that?  I am dealing with some relatively 
complex issues of reference between pages, including swf template files 
with arrays accessing other swf photo files, without, of course, including 
forwarding mechanisms available to struts.  I would like to do this inside 
of WEB-INF by instinct, thinking it would enhance security, but that may 
not be an option?  Thanks for any help on this.

At 01:59 PM 4/20/02 -0700, you wrote:


>On Sat, 20 Apr 2002, Micael Padraig Og mac Grene wrote:
>
> > Date: Sat, 20 Apr 2002 00:39:53 -0700
> > From: Micael Padraig Og mac Grene <[EMAIL PROTECTED]>
> > Reply-To: Struts Users Mailing List <[EMAIL PROTECTED]>
> > To: Struts Users Mailing List <[EMAIL PROTECTED]>
> > Subject: RE: Inside WEB-INF or outside WEB-INF? Struts security.
> >
> > Exactly!  So, why do the typical examples put the jsp pages outside?
> >
>
>The requirement that JSP pages work from inside /WEB-INF is not
>particularly clear in the Servlet 2.2 and JSP 1.1 specs, and in fact they
>do not work in some containers.  To minimize startup problems, that is why
>the Struts examples have them outside.
>
>Additionally, some Struts-based webapps do direct links from one JSP page
>to another, when there is no need for any processing logic in between.
>This won't work if they are inside.
>
>Finally, on't forget that, even if you put your own JSP pages inside the
>/WEB-INF directory, you'll need to leave the app home page (usually
>index.jsp) outside so that it is accessible.
>
>Craig
>
>
>--
>To unsubscribe, e-mail:   
>For additional commands, e-mail: 



--
To unsubscribe, e-mail:   
For additional commands, e-mail: