为什么要把 JSP 放在 WEB-INF 中? [英] Why put JSP in WEB-INF?

问题描述

我注意到一个常见的模式是将 JSP 页面放在 WEB-INF 文件夹中(而不是 WAR 根目录).有什么不同?为什么这是首选?

I noticed a common pattern is to put JSP pages in WEB-INF folder (as opposed to WAR root). What's the difference? Why is that preferred?

推荐答案

WEB-INF 中的文件对用户不可见.这样比较安全.

Files in WEB-INF are not visible to the users. It's a bit safer that way.

如果(一个人为的例子)你包含了 db.jsp，但它本身会抛出一个异常，恶意用户可以打开 http://yoursite.com/db.jsp 并从异常消息中深入了解您的应用程序(最糟糕的是数据库凭据).

If (a contrived example) you are including db.jsp, but by itself it throws an exception, a malicious user can open http://yoursite.com/db.jsp and get some insight on your application (worst - the database credentials) from the exception message.

这篇关于为什么要把 JSP 放在 WEB-INF 中?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！