In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-03 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Internet Technology >
Share
Shulou(Shulou.com)06/01 Report--
How to analyze the WEB-INF directory, I believe that many inexperienced people do not know what to do, so this article summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.
As a Web Container, the biggest function of Tomcat is to parse the deployed WEB application and give users a response.
Common WEB applications, also known as WAR files
Among them, WEB-INF is a special directory, which exists as a security directory for WEB applications. The Servlet specification also has requirements for this:
A special directory exists within the application hierarchy named "WEB-INF".
This directory contains all things related to the application that aren't in the document root of the application.
That is, all the files related to the application, but can not be put in the root directory, can be put here.
The contents include the following categories:
Web.xml
For servlet 3.0, the declaration of its web-fragment.xml is supported.
The classes directory, which holds the class files for all compiled applications
Lib directory, which stores the third-party jar files that the application depends on.
For access to the WEB-INF directory, the specification has the following constraints
The Web application class loader must load classes from the WEB-INF/classes directory first, and then from library JARs in the WEB-INF/lib directory. Also, except
For the case where static resources are packaged in JAR files, any requests from the
Client to access the resources in WEB-INF/ directory must be returned with a
SC_NOT_FOUND (404) response.
Therefore, all direct requests (direct access) from the client side to the WEB-INF directory must return 404.
In this way, some of our files that need to be protected can be placed in the WEB-INF directory without worrying about being accessed directly. For example, the Manager application mentioned in the previous article, its access to users set the login authentication of BASIC, and the role name and authentication method required for authentication are defined in web.xml. It would be insecure if the WEB-INF directory could be read directly by Client.
However, for the application itself, the files stored in the WEB-INF directory still need to be accessed. To this end, the ServletContext interface provides two methods that are easy to use.
GetResource
GetResourceAsStream
Both methods receive a parameter of type String starting with /, which is used to get all resources from the root directory of the WEB application, including the WEB-INF directory.
Now, show you the code.
How to implement direct access protection for WEB-INF in Tomcat
In the StandardContextValve class, Valve is a component of Tomcat, translated as a valve, and multiple different types of Valve can be used in a Pipeline to control the entire Pipeline. StandardContextValve here is a Valve configured by default by StandardContext (representing a commonly used Web application). Therefore, requests for applications will flow through this valve and then be processed by other components below. StandardWrapper (representing Servlet) is a subordinate component of Context, so it will be processed after ContextValue processing to achieve access control.
The ServletContext interface mentioned above is a series of methods provided to interact with the Servlet container.
For example, in addition to exposing the interface of getResource, it also provides an interface to obtain the absolute path.
GetRealPath .
To sum up, the WEB-INF directory is not part of the WEB application root tree, and all the contents under the directory are visible to the server and not visible to the client. On the server side, it can be read through the method exposed by the ServletContext interface.
After reading the above, have you mastered how to analyze the WEB-INF directory? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.