I'll add my 2 p/cents/yen to this one- I'm in the "outside of the WebApp's file system" crowd (a directory on the same level with WebApp's since Tomcat doesn't know anything else. I could make a link if I had to to some other place more convenient.
So unless the server allows for a "/../" in a requested url, no amount of "Guess That URL!" playing will work, or that seems to be my impression after a fair bit of trying to break it. When I want the browser to be sent a file, I retrieve the data with a struts action that checks for application level access privs to it. How the files get fed thru that are entirely within my control/mistake range. If someone knows how to break this, please say so :-) -----Original Message----- From: Michael McGrady [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 13, 2004 4:42 PM To: Struts Users Mailing List Subject: Re: Where Is the Best Place To Store Files? Durham David R Jr Contr 805 CSPTS/SCE wrote: >I personally opt to store uploaded files outside of the web-app's >file-system altogether. This has to do with how easy it is to serve up >content with Java (and other languages, I'm sure) and the need to >physically separate the application's persistent data from the >application code. This has to do with deployment and backup processes, >though. > > >- Dave > There is a lot of sense in doing this, as well. I don't do it and opt for inside WEB-INF because of business reasons having to do with operating system independence that are special requirements. This might be your most sensible option. I am fairly clear in my mind that, if you have gone far enough to use a framework like Struts, that you don't want to expose any resources outside your control. Others, maybe Dave, would disagree, and maybe they are right. Michael McGrady --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
