In a servlet I have a config text file. How to prevent web access to it? So that only servlet code can get access to it? It is not encrypted and lays in the subdirectory of WebContent.
views:
63answers:
3Need not be specifically within 'classes'. It can be placed anywhere within 'WEB-INF'.
Chandru
2010-03-17 08:02:11
Putting in classpath however greatly ease the access. Just `classLoader.getResource("file.ext")` would suffice. No need to hassle with relative/absolute filesystem paths and potential portability/maintainability pains. *Just* put it anywhere you like in the classpath (`WEB-INF/classes`, `WEB-INF/lib`, a shared classpath folder as definied in server config, etc..etc..) and don't think about it further. That's imo the only right answer. +1.
BalusC
2010-03-17 12:43:43
+2
A:
in your web.xml filter out file types you don't want to be visible
UPDATE
@skaffman answer is enough for this case, but for more complex filtering use this:
<security-constraint>
<web-resource-collection>
<web-resource-name>Private Area</web-resource-name>
<url-pattern>/private/*</url-pattern>
</web-resource-collection>
</security-constraint>
medopal
2010-03-17 08:01:10
+3
A:
Anything under WEB-INF cannot be served directly as web content; it can only be accessed by logic running server-side, like a servlet or JSP.
skaffman
2010-03-17 08:01:48
Careful though when fronting the web container (e.g tomcat) with a web server (e.g apache) because static files may be served directly.
cherouvim
2010-03-17 08:25:33