-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gregor,
On 3/9/2009 3:58 PM, Gregor Schneider wrote: > On Mon, Mar 9, 2009 at 8:23 PM, Len Popp <len.p...@gmail.com> wrote: >> What I mean is, clients *never* access a .jsp file by URL, e.g. >> "http://www.example.com/app/foo.jsp";. > > This is definately wrong. No, he's telling you about /his/ webapp, not making a general statement. He puts his JSPs beneath WEB-INF so they cannot be accessed directly. In his application, no JSP is ever accessed directly -- it must first go through a servlet. > I've googled for this issue, and what I find, is, that some frameworks > recommend putting JSPs into WEB-INF/jsp. > However, I also found the statement that not all Servlet-Containers > are supporting it. I can't believe a servlet container wouldn't support this. Perhaps you are thinking it means more than it does. - From SRV.12.2 of the servlet spec: " The security model applies to the static content part of the web application and to servlets and filters within the application that are requested by the client. The security model does not apply when a servlet uses the RequestDispatcher to invoke a static resource or servlet using a forward or an include. " so, if you use a RequestDispatcher to forward to or include another resource, that resource is allowed to break the normal rules for client access. For instance, you can forward to (or include) files under WEB-INF. > Now I'm wondering ("Mr. Servlet-Spec" Chuck, you comment on that one): Aw.... you can read the spec just as well as Chuck can! > Is this directory-structure really part of the specs? It is not prohibited by the spec, so there's no reason why it should be prohibited by a (compliant) servlet container. > How does Tomcat find a JSP within WEB-INF/jsp? Do I have to specify it > in the deployment-descriptor? There's no magic, here: when you request a RequestDispatcher, you specify the path to the resource you want to target. If you put "/WEB-INF" at the beginning of the path, you are targeting something beneath the WEB-INF directory. Tomcat will never respond to a client request for a JSP (like /foo.jsp) by looking under WEB-INF for foo.jsp and executing it. It /must/ go through a controller servlet specifically designed to do this type of thing. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkm4N5EACgkQ9CaO5/Lv0PDvggCfVciWoMv14kZi1Q6pRdyBunvb k8AAniU18dUTOYvvN7baNDsMYyncyt1m =54r2 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
