Shulou(Shulou.com)06/01 Report--

How to analyze the WEB-INF directory, I believe that many inexperienced people do not know what to do, so this article summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

As a Web Container, the biggest function of Tomcat is to parse the deployed WEB application and give users a response.

Common WEB applications, also known as WAR files

Among them, WEB-INF is a special directory, which exists as a security directory for WEB applications. The Servlet specification also has requirements for this:

A special directory exists within the application hierarchy named "WEB-INF".

This directory contains all things related to the application that aren't in the document root of the application.

That is, all the files related to the application, but can not be put in the root directory, can be put here.

The contents include the following categories:

Web.xml

For servlet 3.0, the declaration of its web-fragment.xml is supported.

The classes directory, which holds the class files for all compiled applications

Lib directory, which stores the third-party jar files that the application depends on.

For access to the WEB-INF directory, the specification has the following constraints

The Web application class loader must load classes from the WEB-INF/classes directory first, and then from library JARs in the WEB-INF/lib directory. Also, except

For the case where static resources are packaged in JAR files, any requests from the

Client to access the resources in WEB-INF/ directory must be returned with a

SC_NOT_FOUND (404) response.

Therefore, all direct requests (direct access) from the client side to the WEB-INF directory must return 404.

In this way, some of our files that need to be protected can be placed in the WEB-INF directory without worrying about being accessed directly. For example, the Manager application mentioned in the previous article, its access to users set the login authentication of BASIC, and the role name and authentication method required for authentication are defined in web.xml. It would be insecure if the WEB-INF directory could be read directly by Client.

However, for the application itself, the files stored in the WEB-INF directory still need to be accessed. To this end, the ServletContext interface provides two methods that are easy to use.

GetResource

GetResourceAsStream

Both methods receive a parameter of type String starting with /, which is used to get all resources from the root directory of the WEB application, including the WEB-INF directory.

Now, show you the code.

How to implement direct access protection for WEB-INF in Tomcat

In the StandardContextValve class, Valve is a component of Tomcat, translated as a valve, and multiple different types of Valve can be used in a Pipeline to control the entire Pipeline. StandardContextValve here is a Valve configured by default by StandardContext (representing a commonly used Web application). Therefore, requests for applications will flow through this valve and then be processed by other components below. StandardWrapper (representing Servlet) is a subordinate component of Context, so it will be processed after ContextValue processing to achieve access control.

The ServletContext interface mentioned above is a series of methods provided to interact with the Servlet container.

For example, in addition to exposing the interface of getResource, it also provides an interface to obtain the absolute path.

GetRealPath .

To sum up, the WEB-INF directory is not part of the WEB application root tree, and all the contents under the directory are visible to the server and not visible to the client. On the server side, it can be read through the method exposed by the ServletContext interface.

After reading the above, have you mastered how to analyze the WEB-INF directory? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.