0

As question 20378230 points out, IBM WebSphere Application Server (WAS) no longer allows servlets to access files in WEB-INF, except if you set exposeWebInfOnDispatch=true in server.xml (false is the default, as described here).

WEB-INFused to be my location of choice for servlet configuration data and for JSP, TLD, JSF etc files, in order to protect them from direct client access. Does that mean that all JSF, Struts and similar projects have to use this setting? Or is there an alternative strategy to protect such resources in WAS if they are placed outside WEB-INF?

AFAIK, with the default setting WEB-INF may contain only resources directly accessed by the application server, such as libraries, class files and web.xml. Is that correct? Any hints are appreciated.

Renardo
  • 499
  • 4
  • 13

1 Answers1

2

If you read the related post in the question you are quoting, then you should know that it doesn't apply to JSP, JSF, tld files. It only applies to static files (images, js, etc). And the static files usually shouldn't be served by dispatch from WEB-INF anyway, as they are static and can be served directly, which also allows caching by browsers (for resources like css, images, js).

Alternative strategy to protect static files is to use standard Java EE <security-constraint> in web.xml and define security roles that can access these resources, if they shouldn't be accessible to anyone.

Gas
  • 17,601
  • 4
  • 46
  • 93
  • Thanks, @Gas – if you mean the “WebSphere forum” post, it does not mention JSF or TLD, and just contains sample code with a JSP file but does not explain it. The “accepted answer” says to set ``exposeWebInfOnDispatch=true`` . But if JSP can be served from ``WEB-INF``that's something at least. So ``struts-config.xml`` and the like will have to go outside ``WEB-INF``. It's amusing that IBM provides a migration analyzer which explicitly checks for JSP files in ``WEB-INF`` and flags them as potential problems. – Renardo Sep 07 '18 at 15:31
  • @Renardo, although I didnt check it I'd say that xml config files, like `struts-config.xml`, or spring related configs can safely be placed still in `WEB-INF`. This restriction is only for files that are called using dispatch - like `dispatcher.forward/include` methods - and configs are usually loaded differently. – Gas Sep 07 '18 at 22:18
  • Thanks again, @Gas; so there may be some trial and error ahead. It would be great if HAL documented the mechanisms concerned (forward, include, getResource, java.io.File etc) instead of just saying “a servlet cannot access files the WEB-INF directory” (sic). – Renardo Sep 08 '18 at 10:43