Because some web containers don't allow you to put jsp pages in WEB-INF. Tomcat does, but there is at least one other server out there that doesn't allow it. It's been discussed on this list before so you can search the archives to find out which one.
If yours does and you want to put them in there, you can put them inside WEB-INF. Jay On Sat, 20 Apr 2002, Micael Padraig Og mac Grene wrote: > Exactly! So, why do the typical examples put the jsp pages outside? > > At 02:43 PM 4/19/02 -0300, you wrote: > >He means that it is more secure to place JSP files > >inside the WEB-INF directory, since it does not allow > >direct access to its files. > >So, nobody would be able to access the JSP files > >directly, and would then have to use the mapped URLs > >in struts.config.xml, which is more secure. > > > > --- "Galbreath, Mark" <[EMAIL PROTECTED]> > >escreveu: > I thought I answered that. If you have > >nothing that > > > can execute outside > > > WEB-INF, what does security matter? > > > > > > Mark > > > > > > -----Original Message----- > > > From: Micael Padraig Og mac Grene > > > [mailto:[EMAIL PROTECTED]] > > > Sent: Friday, April 19, 2002 12:32 PM > > > To: Struts Users Mailing List > > > Subject: RE: Inside WEB-INF or outside WEB-INF? > > > Struts security. > > > > > > > > > Thank you for the response, but it is not responsive > > > to the question I > > > asked, I think. My question was: > > > > > > Most sample apps have the jsp pages and > > > images outside the WEB-INF. Why? Isn't > > > it more secure inside? > > > > > > So, where the servlets are ultimately put is not the > > > question, Mark. The > > > question is why do most sample applications put the > > > jsp pages outside the > > > WEB-INF file, even in Tomcat? That works with > > > Tomcat too. You can put > > > them in either place, but if you do it outside you > > > use relative urls and if > > > you put them inside you use the controller > > > framework. My question is why > > > in the world would someone use struts and then put > > > them outside the WEB-INF > > > file? > > > > > > Thanks. > > > > > > Micael > > > > > > > > > At 05:31 AM 4/19/02 -0400, you wrote: > > > >All web containers MUST support files inside > > > WEB-INF by specification. As > > > >for JSP files, some containers, like Tomcat, > > > considers them controller > > > >component Java classes (servlets) and places them > > > in the WEB-INF/class > > > >directory by default. Others, like JRun, consider > > > JSPs view components > > > >(they are, if used "correctly") and place them in a > > > "jsp" directory outside > > > >WEB-INF. > > > > > > > >The point is, JSPs should never have executable > > > Java scriplets in them. > > > >Programmatic functionality should consist solely of > > > tags, which hide the > > > >implementation inside WEB-INF. > > > > > > > >Mark > > > > > > > >-----Original Message----- > > > >From: Victor Hadianto [mailto:[EMAIL PROTECTED]] > > > >Sent: Friday, April 19, 2002 3:18 AM > > > > > > > >On Fri, 19 Apr 2002 08:20, you wrote: > > > > > Most sample apps have the jsp pages and images > > > outside the > > > > > WEB-INF. Why? Isn't it more secure inside? > > > > > > > >Not all web container supports files inside the > > > WEB-INF. Tomcat does. > > > > > > > >-- > > > >To unsubscribe, e-mail: > > > <mailto:[EMAIL PROTECTED]> > > > >For additional commands, e-mail: > > > <mailto:[EMAIL PROTECTED]> > > > > > > > > > > > > -- > > > To unsubscribe, e-mail: > > > <mailto:[EMAIL PROTECTED]> > > > For additional commands, e-mail: > > > <mailto:[EMAIL PROTECTED]> > > > > > > -- > > > To unsubscribe, e-mail: > > > <mailto:[EMAIL PROTECTED]> > > > For additional commands, e-mail: > > > <mailto:[EMAIL PROTECTED]> > > > > > > >===== > >---------------------------------------- > >Frederico Ferro Schuh > >[EMAIL PROTECTED] > >ICQ: 20486081 > > > >>_______________________________________________________________________________________________ > >Yahoo! Empregos > >O trabalho dos seus sonhos pode estar aqui. Cadastre-se hoje mesmo no > >Yahoo! Empregos e tenha acesso a milhares de vagas abertas! > >http://br.empregos.yahoo.com/ > > > >-- > >To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > >For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
