How can I go to the source folder of a project by the browser URL in Java web. I want to ask that my project (consists of JSP and Servlets) is running at http://localhost:8080/myproject/index.jsp in Tomcat. If I want to go to the source folder that is myproject through browser's URL then how can I go? Simply you can tell that I want to hack this project, by knowing this I can prevent this access and can protect my website.
Not sure if this helps you, but if you're using some kind of Controller pattern (e.g. using Struts or a custom servlet that forwards to a JSP), the recommended way to prevent direct access to your JSP pages is to place them in the WEB-INF directory and then forward to these pages from your controller. See here for more details: How to properly put JSPs in the WEB-INF folder?
The Servlet 2.3 standard also defines how to prevent direct access in a similar manner (without putting them under WEB-INF), which then also requires to forward the request to these pages. For details, see here: http://www.jguru.com/faq/view.jsp?EID=471953
Related
I have a web application that contains hundreds of HTML, JavaScript and image files. These files are located under the root directory:
my_root--
-- html
-- js
-- images
These folders contain some subfolders.
From a security reason I need to move all these resources under the WEB-INF folder so they will not be directly accessible.
Currently JSP and servlet files are already under the WEB-INF folder.
What is the easiest method for me to safely move all HTML/JavaScript/images folders under the WEB-INF without breaking all links/forwarding to resources in these folders and make sure these resources are not directly accessible?
I am using WebSphere and WebLogic servers.
What is the easiest method for me to safely move all html/js/images folders under the WEB-INF without breaking all links/forwarding to resources in these folders and make sure these resources are not directly accessible?
You're making a thiniking mistake here. HTML/JS/image (and CSS) resources need to be directly accessible anyway. For JSPs the story is different, some of them, if not all, need to be preprocessed by a servlet (e.g. to retrieve some list from DB for display in a table). If those JSPs were been accessed directly, then that servlet step would be skipped altogether, which is absolutely not what you want (the JSPs end up "empty"; without any data from the DB). That's why they should be hidden in /WEB-INF to prevent direct access without going through a preprocessing servlet first. Also, in case of servlet based MVC frameworks, this way the whole MVC framework process (collecting request parameters, converting/validating them, updating model values, invoking actions, etc) would be skipped.
Your concrete functional requirement is not exactly clear (the whole question makes at its own no sense; the answer is just "don't do that"), but if you actually want to restrict access to static resources which don't need to be preprocessed by a servlet at all to certain users only, then you need to implement an authentication/login system. You can utilize container managed authentication or homegrow a Filter for this.
You can go with a very simple tool like notepad++ and use the findAndReplace feature. Eclipse can also do this but it gets tricky to effectively find every reference.
Note that there are other ways to stop users from accessing your images. It is probably easier to just leave things where they are and instruct the websphere to stop serving these images from the images folder
Continue to this question and aswers :
What is WEB-INF used for in a Java web application?
Further question regarding this issue: Beside making my resource private, is there any special reason I should put my JSP files in WEB-INF? Is there any advantage to put my JSP files outside the WEB-INF? I am using Spring framework if it is related to my question.
Short answer: No -- there is no advantage putting the JSPs outside of the WEB-INF folder, when you use a MVC Framework like Spring-MVC. There are only disadvantages: like someone could directly invoke the JSP and could bypass all you functionally that is implemented on top of the Spring-MVC stack,.
Files within the WEB-INF folder are not directly accessible via an url.
Putting JSP files in the WEB-INF folder make sense if you don't want them to be publicly accessible.
An example of such a case is where you use a MVC framework, where you use JSP as view. The main entry point is an url mapped to a controller, which builds a model and generates the page using JSP. In this case it does not make sense to expose the JSP directly.
I am developing a java/javascript web application with JSPs, servlets, JAX-RS, and AngularJS. I am pretty new to this kind of stuff.
One problem I've been having is that I need to address url paths from static html, from javascript files, from jsps, and within servlets. I would like to be able to deploy this web app under different context roots (basically deploy in different folders). But in order to do this, unless I am mistaken, I must go through all the static files, (javascript and html) and change every link to properly reference resources based on new root directory. For the server side files, there are some java convenience methods like ServletContext's getContextPath() which allow me to avoid this.
Are there any conventions or strategies that people use to allow one to easily move a web app to different directories on a site without breaking all the links? At the moment I am guessing you must do search and replace for all the links.
Maybe put a special tag next to all local links so you know to change it?
Cheers,
As Java1 indicates, just use relative paths.
If the resource you are referencing is on the same level as the current web page, you don't need to prepend any path info. For example, if your main web page is loaded from path http://www.example.com/context/hello.html, and you have an image folder with path http://www.example.com/context/image, you can just load a image from that folder in your html with the relative path <img src="image/someimage.png">, without putting hostname or servlet context in your path.
If you are level deeper than the resource you are referencing, use "../" in front of the path. For example: <img src="../image/someimage.png">. If you are two levels deeper, use `../../image/someImage``, etc.
This holds true not just for images, but for scripts or static html as long as the web browser is loading the resource.
The web browser is responsible for converting the relative path to a server path. If you need to load something from the server side, you will need to use the full path.
I am using Weblogic for deploying my Java EE applications. I am using JSP technology for my project. I know that the jsp files are processed in the jsp engine and in the life cycle of jsp, it is converted into the servlet code.
Can you please tell me that how I can get the generated servlet code?
This will vary based on the weblogic set up on your box. If weblogic is compiling your JSPs (you are not pre-compiling them) then it may be under domains\<YOUR_DOMAIN_NAME>\servers\<APP_SERVER_NAME>\tmp\_WL_user\<APPLICATION_WAR> .
It is generally a good idea to pre-compile your JSPs for performance reasons and add the servlet mappings in the web.xml. You can see a reference to how to do that in weblogic here under the section "Precompiling JSPs".
In my application I am using Maven and the JSP servlet compiles are sent to the war file in the \target folder of the maven project, i.e. \target\.war\WEB-INF\classes\jsp_servlet. If you find the jsp_servlet folder you will find the compiled Java servlet code and the class file. With Eclipse you could use the debugger and set breakpoints. A word of caution, the servlet code is complex. If you are trying to debug JSP I would use other techniques, such as temporarily embed EL commands in the JSP to display data and functionality. Also, JSP should have little or no business logic so it would also be advisable to focus on the model and controller.
If I'm using HttpServlet's for my controllers, and I've got my models setup and in a specific package, what about the views? The last thing I want is to dump all of this HTML into my controllers. Where do I put it? What file types?
I'm new to Java :)
Update
If I should be using jsp files, wouldn't having jsp files within my "Web Pages" section make them publicly viewable? Or should they go somewhere else? How do I include them on my page and pass parameters to them?
If you are using servlets (which seems to be the case), your view should go in JSP files. If you are using JSF, you put your view in facelets, but it is not the case since you are using servlets. JSF is the most recent specification, but I bet it is better to start by JSPs and servlets - maybe following the official tutorial.
EDIT: how to dispatch a request from the servlet to a JSP? Just get a RequestDispatcher from the ServletRequest passing the JSP path as parameter:
RequestDispatcher dispatcher = request.getRequestDispatcher("/index.jsp");
If the dispatcher is different from null, just call its include() forward() method:
dispatcher.forward(request, response);`
The dispatcher can be null (for example, if the JSP does not exist) so it is a good practice to verify if a proper dispatcher was returned.
jsps or javascript if you are going for a rich internet application (RIA).
You most likely want jsps.
JSPs are for views. So they should be public. JSPs dont expose anything except for html that your output just as you would in PHP. The source does not show unless you have configured your server incorrectly.
Also you can pass objects from servlet to jsp through shared objects as they are in same vm. JSP is servlet reversed so instead of printing HTML from java you embed Java in html which saves you from writing out.print statements....
So servlets are more suited to write actions. JSP for views.
You might also look into spending some time learning JSTL too. It makes your JSPs clean and readable: http://docs.oracle.com/javaee/5/tutorial/doc/bnakc.html
Keep in mind, a user will not be able to see the code in your JSP, the web container actually compiles the JSP file much like the JVM (actually in a very similar fashion) compiles source code. If you are using something like Tomcat, you can look at a compiled JSP in the work directory of your web container. It will look surprisingly like a normal class file with a lot of out.write's in it.