Moving resources under WEB-INF

Asked 23/8, 2012 at 8:54 Answered 30/8, 2012 at 10:31

I have a web application that contains hundreds of HTML, JavaScript and image files. These files are located under the root directory:

my_root--
    -- html
    -- js
    -- images

These folders contain some subfolders.

From a security reason I need to move all these resources under the WEB-INF folder so they will not be directly accessible.

Currently JSP and servlet files are already under the WEB-INF folder.

What is the easiest method for me to safely move all HTML/JavaScript/images folders under the WEB-INF without breaking all links/forwarding to resources in these folders and make sure these resources are not directly accessible?

I am using WebSphere and WebLogic servers.

Mei answered 23/8, 2012 at 8:54 Comment(1)

Can you give a simple example to help make it clearer - do you mean you want to prevent users from accessing '/examplepage.jsp' by moving it to WEB-INF? How do users access pages currently - are you using a framework like Struts etc.? – Linguistics 26/8, 2012 at 20:50

What is the easiest method for me to safely move all html/js/images folders under the WEB-INF without breaking all links/forwarding to resources in these folders and make sure these resources are not directly accessible?

You're making a thiniking mistake here. HTML/JS/image (and CSS) resources need to be directly accessible anyway. For JSPs the story is different, some of them, if not all, need to be preprocessed by a servlet (e.g. to retrieve some list from DB for display in a table). If those JSPs were been accessed directly, then that servlet step would be skipped altogether, which is absolutely not what you want (the JSPs end up "empty"; without any data from the DB). That's why they should be hidden in /WEB-INF to prevent direct access without going through a preprocessing servlet first. Also, in case of servlet based MVC frameworks, this way the whole MVC framework process (collecting request parameters, converting/validating them, updating model values, invoking actions, etc) would be skipped.

Your concrete functional requirement is not exactly clear (the whole question makes at its own no sense; the answer is just "don't do that"), but if you actually want to restrict access to static resources which don't need to be preprocessed by a servlet at all to certain users only, then you need to implement an authentication/login system. You can utilize container managed authentication or homegrow a Filter for this.

Fredenburg answered 30/8, 2012 at 10:31 Comment(0)

You can go with a very simple tool like notepad++ and use the findAndReplace feature. Eclipse can also do this but it gets tricky to effectively find every reference.

Note that there are other ways to stop users from accessing your images. It is probably easier to just leave things where they are and instruct the websphere to stop serving these images from the images folder

Siren answered 30/8, 2012 at 10:22 Comment(7)

i am dishearten with the suggestion – Alumina 31/8, 2012 at 16:52

with a very simple tool like notepad++ and use the findAndReplace feature :-( this is very bad idea i think – Alumina 3/9, 2012 at 15:7

why is that such a bad idea @Kowser? – Siren 4/9, 2012 at 9:47

1. it does not assure all links will be fixed – Alumina 6/9, 2012 at 15:38

2. it may replace important hardcoded references to some resources, which are not unexpected – Alumina 6/9, 2012 at 15:42

3. may be those static resources inside web-inf are served using some other tool/mechanism which is unpredictable – Alumina 6/9, 2012 at 15:44

4. and I feel code smell if it is needed to refer WEB-INF all the time to refer any static resource. This practice should be avoided... so wondering if search & replace is the expected solution. – Alumina 6/9, 2012 at 15:48

Recommended topics

Hot tags