在WEB-INF下移动资源 [英] Moving resources under WEB-INF

问题描述

我有一个Web应用程序，其中包含数百个HTML，JavaScript和图像文件.这些文件位于根目录下:

I have a web application that contains hundreds of HTML, JavaScript and image files. These files are located under the root directory:

my_root--
    -- html
    -- js
    -- images

这些文件夹包含一些子文件夹.

These folders contain some subfolders.

出于安全原因，我需要将所有这些资源移至WEB-INF文件夹下，以使它们无法直接访问.

From a security reason I need to move all these resources under the WEB-INF folder so they will not be directly accessible.

当前，JSP和servlet文件已经在WEB-INF文件夹下.

Currently JSP and servlet files are already under the WEB-INF folder.

对我来说，最安全的方法是安全地移动WEB-INF下的所有HTML/JavaScript/images文件夹而不断开所有链接/转发到这些文件夹中的资源，并确保不能直接访问这些资源?

What is the easiest method for me to safely move all HTML/JavaScript/images folders under the WEB-INF without breaking all links/forwarding to resources in these folders and make sure these resources are not directly accessible?

我正在使用WebSphere和WebLogic服务器.

I am using WebSphere and WebLogic servers.

推荐答案

对我来说，最安全的方法是安全地移动WEB-INF下的所有html/js/images文件夹，而又不会断开所有链接/转发到这些文件夹中的资源，并确保这些资源不能直接访问?/em>

What is the easiest method for me to safely move all html/js/images folders under the WEB-INF without breaking all links/forwarding to resources in these folders and make sure these resources are not directly accessible?

您在这里犯了一个细想的错误. HTML/JS/图像(和CSS)资源仍需要以直接访问.对于JSP，情况有所不同，其中一些(如果不是全部的话)需要由Servlet进行预处理(例如，从DB检索一些列表以显示在表中).如果直接访问了这些JSP，那么将完全跳过该servlet步骤，这绝对不是您想要的(JSP最终为空"；没有来自数据库的任何数据).这就是为什么应将它们隐藏在/WEB-INF中以防止直接访问而无需先经过预处理servlet的原因.同样，在基于Servlet的MVC框架的情况下，这样可以跳过整个MVC框架过程(收集请求参数，转换/验证它们，更新模型值，调用动作等).

You're making a thiniking mistake here. HTML/JS/image (and CSS) resources need to be directly accessible anyway. For JSPs the story is different, some of them, if not all, need to be preprocessed by a servlet (e.g. to retrieve some list from DB for display in a table). If those JSPs were been accessed directly, then that servlet step would be skipped altogether, which is absolutely not what you want (the JSPs end up "empty"; without any data from the DB). That's why they should be hidden in /WEB-INF to prevent direct access without going through a preprocessing servlet first. Also, in case of servlet based MVC frameworks, this way the whole MVC framework process (collecting request parameters, converting/validating them, updating model values, invoking actions, etc) would be skipped.

您的具体功能要求尚不完全清楚(整个问题本身没有意义；答案只是不这样做")，但是如果您实际上想要限制访问权限对于静态资源，而这些静态资源根本不需要由Servlet预处理，而仅对某些用户进行预处理，那么您需要实现身份验证/登录系统.您可以利用容器管理的身份验证或为此自行添加Filter.

Your concrete functional requirement is not exactly clear (the whole question makes at its own no sense; the answer is just "don't do that"), but if you actually want to restrict access to static resources which don't need to be preprocessed by a servlet at all to certain users only, then you need to implement an authentication/login system. You can utilize container managed authentication or homegrow a Filter for this.

这篇关于在WEB-INF下移动资源的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！