-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ken,
On 3/9/2009 4:03 PM, Ken Bowen wrote: > I agree with everything in both posts, but I just don't see what the > /location/ of the jsp files (inside/outside WEB-INF) has to do with it. It's just an access thing, really: no remote client can request that a JSP be run without it's handling servlet running first. Just because you shouldn't poke a fire doesn't mean you won't. It's not about revealing code (which is another matter altogether), it's about controlling access to the execution of your JSPs. If your JSPs are within WEB-INF, no client can access them directly for any reason. That forces the developers to code their application in such a way as to support that setup. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkm4M1UACgkQ9CaO5/Lv0PA2KgCfdGBUAmy8yI8waI6cbeziHE7I Fn0AoIuKuK4GtTgtTh5RaCKTtVGpRde7 =TmDB -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
