Honourable Barrister-- Is/Are there any <presumably default> configuration option<s> which Tomcat uses to specifically protect META-INF from client access?
Martin-- ----- Original Message ----- From: "Caldarale, Charles R" <[EMAIL PROTECTED]> To: "Tomcat Users List" <users@tomcat.apache.org> Sent: Friday, October 26, 2007 10:28 AM Subject: RE: Philamasophical question META-INF > From: Christopher Schultz [mailto:[EMAIL PROTECTED] > Subject: Re: Philamasophical question META-INF > > Storing stuff in WEB-INF should be just fine -- I would stick > to WEB-INF instead of META-INF. According to the Servlet spec, both WEB-INF (SRV.9.5) and META-INF (SRV.9.6) must be protected by the container from being directly served to clients. (Based on the wording in the spec, a lawyer could argue that META-INF is only protected when the app is packaged in a .war file, if you want to be nit-picky.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]