Why cant I access a WEB-INF directory?
Hi,
I had a war file from a book that I did jar xvf on. It created a directory structure of the nature
<TOMCAT>/ex0101/WEB-INF/etc...
If I go to
http://localhost:8080/ex0101it works
If I create anotherDirectory inside ex0101, and do
http://localhost:8080/ex0101/ANOTHER-DIRECTORYit works
But If I do
http://localhost:8080/ex0101/WEB-INFI get:
HTTP Status 404 - /ex0101/WEB-INF/WHY?
The WEB-INF directory is designated to be hidden from
the end user. It is used for configuration files
like web.xml, struts-config.xml, and other "utility"
files. For security purposes, the end user is not
allowed to browse this directory directly.oh thank you so much, I was sitting here going crazy, I looked at the directory property and it was not hidden on Windows, so I was so confused, but I guess it is hidden in Tomcat, thanks a lot, you are a truly kind man
Similar Messages
-
ADF Faces - access to content in WEB-INF directory
Hello,
I create simple JSF application that use ADF Faces and deploy it to Oracle iAS. But why can i also access files in WEB-INF directory? For example, the following URL - http://myserver.si/MyApp/faces/WEB-INF/web.xml - will return the content of XML file. By my knowledge of J2EE architecture, access to this directory should be forbidden.
Should I set some parameter on javax.faces.webapp.FacesServlet servlet filter to prevent access to WEB-INF directory? Thank you for help.
Google also found the following links:
- http://mail-archives.apache.org/mod_mbox/myfaces-dev/200602.mbox/%[email protected]%3E
- http://svn.apache.org/viewcvs.cgi//myfaces/core/trunk/api/src/main/java/javax/faces/webapp/FacesServlet.java/?rev=375489&view=diff&r1=375489&r2=375488&p1=/myfaces/core/trunk/api/src/main/java/javax/faces/webapp/FacesServlet.java&p2=/myfaces/core/trunk/api/src/main/java/javax/faces/webapp/FacesServlet.java
Regards,
MaticHi,
the reason for this is that the WEB-INF directory is protected against direct client (browser) requests. Using Faces, the JSF servlet performs this access as a server side forward request in which case there is no container-managed protection.
If you want to avoid this then you can write a servlet filter in fron of JSF in which you check for any occurences of directories you want to prohibit access to.
Its not a bug, its the way J2EE is designed ;-(
Frank -
Access JSF Pages within WEB-INF directory
Hi,
I am generating a project using JHeadstart 10.1.3
with the default setting for the UI Pages directory (/WEB-INF/page).
This means that the generated pages are placed in the page directory
within the WEB-INF directory.
The generated pages use ADF Faces and the problem is that I can't
get access to the pages in the WEB-INF directory
When I try to deploy to OC4J standalone, the pages in the WEB-INF directory
are not accessible.
I read that I have to construct a index.jspx file that forwards to
the first page (Home.jspx)
This is my index.jspx:
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" version="2.0">
<jsp:scriptlet> request.getRequestDispatcher("WEB-INF/page/Home.jspx").forward(request,response);
</jsp:scriptlet>
</jsp:root>
This works, but I now have the problem of not getting a valid FacesContext:
500 Internal Server Error
javax.servlet.jsp.JspException: Cannot find FacesContext
at javax.faces.webapp.UIComponentTag.doStartTag(UIComponentTag.java:405)
at com.sun.faces.taglib.jsf_core.ViewTag.doStartTag(ViewTag.java:105)
at web2d_inf._page._Home_jspx._jspService(_Home_jspx.java:100)
[SRC:/WEB-INF/page/Home.jspx:9]
at com.orionserver[Oracle Containers for J2EE 10g (10.1.3.0.0) ].http.OrionHttpJspPage.service(OrionHttpJspPage.java:59)
at oracle.jsp.runtimev2.JspPageTable.compileAndServe(JspPageTable.java:662)
at oracle.jsp.runtimev2.JspPageTable.service(JspPageTable.java:370)
at oracle.jsp.runtimev2.JspServlet.internalService(JspServlet.java:478)
etc. etc.
What is the required way of setting up the forward (and having a valid FacesContext)?
I know that this is a JHeadstart problem, but maybe you guys know how to solve it.
Part of my web.xml:
<description>Empty web.xml file for Web Application</description>
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>client</param-value>
</context-param>
<context-param>
<param-name>javax.faces.CONFIG_FILES</param-name>
<param-value>/WEB-INF/faces-config.xml,/WEB-INF/custom-faces-config.xml,/WEB-INF/JhsCommon-beans.xml,/WEB-INF/AppModule-Breadcrumb-beans.xml,/WEB-INF/Bpas-beans.xml,/WEB-INF/BpasLookup-beans.xml,/WEB-INF/GroupsLookup-beans.xml,/WEB-INF/PersonsLookup-beans.xml,/WEB-INF/OrganizationsLookup-beans.xml</param-value>
</context-param>
<context-param>
<param-name>CpxFileName</param-name>
<param-value>sumawest.view.DataBindings</param-value>
</context-param>
<filter>
<filter-name>adfFaces</filter-name>
<filter-class>oracle.adf.view.faces.webapp.AdfFacesFilter</filter-class>
</filter>
<filter>
<filter-name>adfBindings</filter-name>
<filter-class>oracle.adf.model.servlet.ADFBindingFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>adfFaces</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>adfFaces</filter-name>
<url-pattern>*.jspx</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>adfFaces</filter-name>
<servlet-name>Faces Servlet</servlet-name>
</filter-mapping>
<filter-mapping>
<filter-name>adfBindings</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>adfBindings</filter-name>
<url-pattern>*.jspx</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>adfBindings</filter-name>
<servlet-name>ordDeliverMedia</servlet-name>
</filter-mapping>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>ordDeliverMedia</servlet-name>
<servlet-class>oracle.ord.html.OrdPlayMediaServlet</servlet-class>
<init-param>
<param-name>releaseMode</param-name>
<param-value>Stateful</param-value>
</init-param>
</servlet>
<servlet>
<servlet-name>resources</servlet-name>
<servlet-class>oracle.adf.view.faces.webapp.ResourceServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ordDeliverMedia</servlet-name>
<url-pattern>ordDeliverMedia</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>resources</servlet-name>
<url-pattern>/adf/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>35</session-timeout>
</session-config>
<mime-mapping>
<extension>html</extension>
<mime-type>text/html</mime-type>
</mime-mapping>
<mime-mapping>
<extension>txt</extension>
<mime-type>text/plain</mime-type>
</mime-mapping>
<welcome-file-list>
<welcome-file>index.jspx</welcome-file>
</welcome-file-list>I do something similar in my index.jspx file - but I needed to add "faces" to the url path. This will have the faces servlet process it and setup the faces context.
Have you tried changing
request.getRequestDispatcher("WEB-INF/page/Home.jspx").forward(request,response);to
request.getRequestDispatcher("faces/WEB-INF/page/Home.jspx").forward(request,response); -
Access jsp pages in WEB-INF directory
Hi,
I've a problem with my jsp web project;
practically I've created a web project that uses jsp pages and servlet.
I never use links to jsp pages, directly in my web pages, but I call always first servlet;
the servlet call jsp pages.
My project is completed and works fine, but any user can access to my jsp pages directly simply writing the url.
So I've tried to move my jsp pages in the WEB-INF directory, but now I doesn't manage in accessing index.jsp page;
how must I do to access index.jsp page?
I've tried to modify web.xml like this
<welcome-file-list>
<welcome-file>WEB-INF/index.jsp</welcome-file>
</welcome-file-list>
but doesn't work;
besides also servlet calls to jsp pages doesn't work anymore.
How can I solve?
Thank you in advance
MargNatok, so first you have to implement the Filter interface, with 3 methods,
the main method u have to put logic in is doFilter()
public class YourClass implements javax.servlet.Filter {
doFilter(ServletRequest req, ServletResponse res, FIlterChain chain) throws ... {
//check first if is HTTP, if in this case permission is not granted as well
if(req instanceof HttpServletRequest{
HttpServletRequest httpReq = (HttpServletRequest)req;
//now check if its called for index.jsp
if(!httpReq.getRequestURI().toLowerCase().endsWith("index.jsp"))
throw new ServletException("access permitted");
else
chain.doFilter(req,res); //go on with processing
}else
throw new ServletException("only HTTP requests allowed");
}and of course you have to register that filter in your web.xml doing
<filter>
<filter-name>yourFilter</filter-name>
<filter-class>yourFilterClass</filter-class>
</filter>
<filter-mapping>
<filter-name>yourFilter</filter-name>
<url-pattern>/**.jsp</url-pattern>
</filter-mapping>actually that's it -
Serializing a JavaBean to the WEB-INF directory or subdirectories
Hello, I'm hoping someone can help me on this.
I'm working with two scenarios in WSAD Enterprise Edition 5.0.0.2 for
serializing a JavaBean (called AddressBean) to the following location
in my Web application:
/WEB-INF/classes/resources/serializable
The data corresponding to the bean I'm serializing is being stored in
a file with a name that makes it unique on the file system (e.g.
jeff.ser, jill.ser). In the first scenario, I start by getting a
FileOutputStream, then an ObjectOutputStream which is then used to
write my JavaBean as needed. All of this is done in the first
scenario from a JSP located in:
myWebApp/Web Content/jsp/JSP1.jsp
That works fine and as I'd expect. However, I'm not able to do that
in the second scenario. In this scenario, I created an additional
method in the bean itself that will actually serialize an object of
its own type to the same directory structure that I showed above (i.e.
under the WEB-INF directory). That is, in my bean, I have the
following:
public void writeDataToFile(AddressBean bean, String path) {
FileOutputStream fos = null;
ObjectOutputStream oos = null;
try {
fos = new FileOutputStream(path);
oos = new ObjectOutputStream(fos);
oos.writeObject(bean);
oos.close();
catch(Exception e) {
e.printStackTrace();
In this scenario, another JSP (call it JSP2.jsp) is creating an
instance of AddressBean by using the jsp:useBean tag. The real path
for the .ser file is figured out in the JSP code (same as was done in
JSP1.jsp), and then I delegate the serialization part to the bean
itself like so:
// In JSP2.jsp
<jsp:useBean id="ab" class="examples.beans.simple.AddressBean" />
AddressBean address = (AddressBean) pageContext.getAttribute("ab");
// get the path
String path = ...
String realPath = application.getRealPath(path);
// write the object
address.writeDataToFile(ab, realPath);
What happens is that I get a FileNotFoundException while trying to
create the FileOutputStream in the writeDataToFile() method in
AddressBean at runtime. The message in the console states:
java.io.FileNotFoundException:
C:\WINNT\Profiles\myself\Personal\IBM\wsad\myworkbench\myWebApp\Web
Content\ (Access is denied)
The source file for AddressBean is located at:
myWebApp/Java Source/examples.beans.simple.AddressBean
WHAT is going on here!? I know that everything stored underneath the
WEB-INF directory is not served to clients so I'm also assuming that
whatever stored in that directory or its subdirectories is not
accessible to clients by default. The only real difference between
the two scenarios that I've described is that in the second one, the
attempt to get a FileOutputStream is being made by a resource (i.e.
AddressBean) that is outside of the "Web Content" directory structure
in WSAD. However, the "Java Source" directory, which contains the
package housing my AddressBean class, is also under myWebApp so I'm
not seeing what the problem is at the moment.
If anyone has any ideas, suggestions, solutions, please let me know.
I'm stumped. Thank you!
JeffI figured it out, and it was my mistake. The problem was in a method defined in my AddressBean class that would take a String argument and use it to help create a unique file name (i.e. one with a .ser extension to contain the serialized bean data) for purposes of serialization later.
Basically, I was using a local variable in the method unintentionally instead of the instance variable that I had defined in the bean so my path value was null at runtime--hence the FileNotFoundException.
I'm still not sure why the (Access is denied) message was appearing, but I suspect it was b/c the absolute path that I'd end up with at runtime wasn't kosher; or, not having a destination .ser file was the problem.
In any event, I fixed the mistake and could serialize a JavaBean in several ways:
1. From a JSP directly
2. By using a method defined in the JavaBean itself
3. By passing on the request, which contained the JavaBean as an attribute, to a servlet that took care of the serialization
Jeff -
Find path to Web-inf directory from root
Hi All,
I have a application for which the "config.txt" file is placed in "Web-inf" directory. I want to get the complete path to this file so that I can access it and read config info.
I am able to acheive this if I write the following piece of code and it gives me the complete path.
String configPath = getServletContext().getRealPath("config.txt");
My problem is that this code works only if the class extends from HttpServlet. I want to get the complete path to this file from a normal java bean, where I don't have the servlet context.
If there is any alternative way to achieve this or if somehow I can get the servlet context in the java bean then please let me know. We use iPlanet 6.0 server.
Thanks for your help.
RMThanks for your reply. Do you mean, I should use
getResourceasStream() method which return inputstream.
But even that would require servletcontext object ?No it doesn't require the servlet context; if it did, you'd still be able to get the servlet context from the servlet itself.
Maybe I have not understood, your approach. Can you
please give me some example.
class SomeServlet extends HttpServlet {
// servlet stuff
private void handleConfiguration() {
InputStream configStream = getClass().getResourceAsStream("config.txt"); // may return null
YourBean bean = getYourBeanInstance();
bean.someMethod(configStream);
// close configStream
public class YourBean {
public void someMethod(InputStream configStream) {
// handle configStream
} -
Support for JSP's located in WEB-INF directory
Several application servers support the use of placing JSP pages underneath the WEB-INF directory, to insure that only server side workflow forwards requests to those pages and not direct URL access. IN addition the JSTL specification supports the use of
<c:import url="/WEBINF/published/campaign_Arts.jsp" />
Does OC4J 9.0.3 support this syntax? I cannot get it to work. Is there an application configuration file I need to update to support this?
Thanksthank you for your reply...
but...
My problem is that i want to serve jsp pages that include various other jsp pages.
But i don't want those other pages to be served directly. The approach of putting
the jsp files in the WEB-INF, or in a sub directory of it, worked fine on Tomcat.
The way i look at it is that the server has direct access to them when putting
togetter the main jsp, but they can't be accessed from the outside. But this seems
not to be the case.
Any ideas?
"ilya Devers" <[email protected]> wrote:
>The WEB-INF is not perceived as a directory to the engine. Resources
>in it
>are not exposed and should not. It can hold sensitive resources such
>as
>application deployment descriptors that can contain database log in
>information to name something. The engine should never serve resources
>located here.
>
>This directory should only contain the normal directories: lib and classes,
>and the web.xml files (and weblogic.xml).
>
>Hope this helps.
>
>ilya
>
-
Storing .jsp files in the web-inf directory
Has anyone ever heard about storing JSP files in the web-inf directory instead of the web app root directory.
Apparently it improves security.
If this is so, how is the user suppose to access the jsp file since I thought that users were not able to access what is stored in the web-inf directory.
Any thoughts
Thanks
NatI didn't tyr this but I think it is possible. You can do it using <servlet-mapping/> as you do with any other servlet.
For example include lines below, in web.xml of web-inf,
<servlet>
<servlet-name>ReportRouter</servlet-name>
<jsp-file>/web-inf/jsp/ReportRouter.jsp</jsp-file>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>ReportRouter</servlet-name>
<url-pattern>/myrouter</url-pattern>
</servlet-mapping>
This may work. Don't you think so?
Sudha -
Log4J - reading properties file from /WEB-INF directory issue..
I'm just learning to implement Log4J; the approach I am taking for my JSF application running under Tomcat 5.5x is to create an initialization servlet to initialize the logger, and then access the logger instance within my backing beans and application module services. I include log4j.jar file in /WEB-INF/lib and log4j.properties in /WEB-INF.
First I wanted to see if this was a good approach, and secondly I'm having trouble accessing the log4j.properties file from the /WEB-INF directory (see below) - any suggestions on how to set up the path so that the properties file can be found (I receive a java.io.filenotfoundexception)?
Where I'm looking for direction is how to define a single instance of the logger and then access that instance from my java classes versus re-creating the logger in each class.
----- web.xml --------
<servlet>
<servlet-name>LogServlet</servlet-name>
<servlet-class>com.sidehire.view.util.LogServlet</servlet-class>
<init-param>
<param-name>setup</param-name>
<param-value>/WEB-INF/log4j.properties</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
------ LogServlet class ------
public void init()
throws ServletException {
String config = getInitParameter("setup");
PropertyConfigurator.configure(config);
Thanks
Message was edited by:
javaXTry to put the log4j.properties in your WEB-INF/classes/ directory.
You could wrap one log4j instance in a static method in a utility class, but then you would probably lose other information depending on your logger configuration.
If you create an instance in each class, which after all is just one line like this:
static Logger logger = Logger.getLogger(ChangePasswrdAction.class.getName());
then you are able to get time and method information. -
Invalid Flex WEB-INF directory
Please someone help me !
I've instaled LiveCycle Data Series and ColdFusion MX7 and I
want to create a Flex Project to access a database that is in SQL
server locally in my computer.
When I try to create it FLEX using CF or DataSeries always
says that the WEB-INF directory isn't available.
Can someone explain me Step by Step how should I do it
?The Flex documentation - Building and Deploying Flex
Applications, Chapter 3, page 45 - states that you can create your
Flex project under your own Java web application folder (a opposed
to the flex.war folder), but is very scarce with details.
Anyone from Adobe to enlighten us ?
What should a Java web application folder contain so that
Flex Builder allows to create a Flex project within it ? -
Possible to put JSPs used by JSF in WEB-INF directory?
I'm used to storing my JSPs in the WEB-INF directory so that they can only be accessed through a controller servlet and not directly. Does anyone know if this is possible with JSF?
I have an application that has 3 pages. I want to force the user to go from page 1 to page 2 to page 3. I don't want the user to be able to jump straight to page 2 or 3 without first going through the previous pages. How can I acheive this using JSF?
Furthermore, if the session times out while the user is on page 2 or 3 and they attempt to submit, I want the application to go back to page 1 (or, preferably a page that states that the session has timed out) and force them to start over.May be you should just restrict access to your *.jsp files and doing your logic by the beans and navigation rules?
<security-constraint>
<!-- This security constraint illustrates how JSP pages
with JavaServer Faces components can be protected from
being accessed without going through the Faces Servlet.
The security constraint ensures that the Faces Servlet will
be used or the pages will not be processed. -->
<display-name>Restrict access to JSP pages</display-name>
<web-resource-collection>
<web-resource-name>
Restrict access to JSP pages
</web-resource-name>
<url-pattern>*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>
With no roles defined, no access granted
</description>
</auth-constraint>
</security-constraint> -
How can I reference a dtd in the Web-Inf directory from an xml file?
Hi,
I've placed my test.xml and test.dtd files in the following
direcory (part of my web application)
weblogic\config\MyDomain\applications\sample\Web-inf
When I refer to the dtd from the xml file, as follows,
<?xml version="1.0" encoding="ISO-8859-1" ?>
<!DOCTYPE application SYSTEM "test.dtd">
Weblogic tries to look for the dtd in the weblogic directory(the
place where I started the server from). How can I get it to read
the dtd in the Web-inf directory?
I'm using Weblogic6.0 SP1 on Windows NT 4.0
Thanks.Two options:
1) Use SYSTEM "http://localhost:7001/sample/test.dtd"
2) Or use XML registry in WLS6.0
Cheers - Wei
"Paromita" <[email protected]> wrote in message
news:3aaff997$[email protected]..
>
Hi,
I've placed my test.xml and test.dtd files in the following
direcory (part of my web application)
weblogic\config\MyDomain\applications\sample\Web-inf
When I refer to the dtd from the xml file, as follows,
<?xml version="1.0" encoding="ISO-8859-1" ?>
<!DOCTYPE application SYSTEM "test.dtd">
Weblogic tries to look for the dtd in the weblogic directory(the
place where I started the server from). How can I get it to read
the dtd in the Web-inf directory?
I'm using Weblogic6.0 SP1 on Windows NT 4.0
Thanks. -
Im in airport utility why cant i access my base station to ater
im in airport utility why cant i access my base station to a printer all i have on screen is my airport exstreme on a black background with a globe
If the email you want the phone to suggest is not associated with a contact so how do you think th ephone has any way of making a suggestion? The suggestion will only work if you have entered email addresses for contacts
01101001 01110000 01101000 01101111 01101110 01100101 00100000 01110100 01101000 01100101 01110010 01100101 01100110 01101111 01110010 01100101 00100000 01001001 00100000 01100001 01101101 -
Weblogic only deploys 'WEB-INF' directory....
Hi,
I desperatly try to deploy an exploded war file - but it seems weblogic just pics the web-inf folder & leaves everything else behind. Deployment failes because during startup the application tries to access a file stored outside the WEB-INF, which would be the top-level of the war archive.
Anyone knows why this is the case? Is this configureable somehow?
Weblogic version is 11g (10.3.2) under Windows....Thanks for the quick response!
It's a Webservice using Axis.
I know that during startup, a servlet tries to load stuff like configuration details, logging details etc. "Unfortunatly" those files are stored in a config folder on the "root" level of the war file.
In essence, the structure looks like this:
---| some_webservices.war
------| WEB-INF
---------| lib
---------| ..........
------| META-INF
------| config
---------| ...some files...
If i deploy the whole thing as a archive, the applicaton works fine - but if I explode the war file & choose to deploy the root folder, weblogic just grabs the web-inf folder, copies it to the server & starts the application (which leads to the problem).
To answer your other questions:
- no there are no "weblogic" errors in the logfile - the only error comes from the application, because it tries to load a file from the config directory... -
How to display an image located in the WEB-INF directory?
Basically, When a user registers, they a directory is created with their username that holds images that they can upload. How do I display those images. All I am holding in the database is the location of the images.
ive tried
<img src="/WEB-INF/users/testuser/picture.jpg" />
but this doesnt work and for obvious security reasons shouldnt.. but is there another way of doing what i want to do? perhaps a custom tag? thanks
JazzYou would have to write a generic servlet that would return an image
<img src="/getImage?user=testuser&pic=picture.jpg" />Your servlet would basically fetch the file from under web-inf, and then stream it back to the user.
Methods to use:
servletContext.getRealPath() (to help find the file on disk), relative to your web app
getOutputStream (as opposed to getWriter)
It is only in this way that you can access files on the server outside of the public web directories.
Hope this helps
Cheers,
evnafets
Maybe you are looking for
-
Deactivating the automatic setup for creation of batch numbers in GR
Hello, The user wants to key in the batch number for material purchased while creating GR. But the batch number gets created automatically. Could you please help and letme know how can the user deactivate this? Is it activated in master-data or cust
-
I have some pictures that were downloaded from some emails. I was on AOL thru Firefox, when there was an upgrade. Allowed the upgrade & restarted. When I went back thru Firefox onto Yahoo.com to my mail site and then opened pictures it started going
-
Terms of payment -delivery date
hi i want to make a terms of payment xx days from the delivery date. I would like to know how terms of payment will be made. in SAP we have no date, document date, posting date, entry date. Main point is how correct baseline date will be proposed in
-
Local Calculation (Summation) in query doesn't display correctly in web
Hi All, I have been working on a complicated query where I have formulas that perform calculations. I then Hide these formulas and use them in another formula for further calculations. The new calculations I then use local summation to basically ju
-
I have been having a series of problems with my iChat over the last few weeks. I used to not be able to get the program open. That was fixed by opening it using Rosetta. Then none of the buddies would appear on my buddy list. This was fixed by deleti