The WEB-INF directory is a special folder within the application hierarchy that contains components and resources not exposed directly to clients. The Servlet 2.4 specification states:
The WEB-INF node is not part of the public document tree of the application. No file contained in the WEB-INF directory may be served directly to a client by the container.
Purpose of WEB-INF
WEB-INF provides a protected environment for storing sensitive resources such as:
By placing these resources in WEB-INF, you prevent unauthorized access and protect sensitive information.
Content of WEB-INF
The contents of WEB-INF can vary depending on the application. Common folders include:
JSP File Placement
JSP files can technically reside anywhere within the source directory structure. However, many frameworks recommend placing them in the WEB-INF directory for protection.
WEB-INF and WAR Files
The WEB-INF folder's structure does not always directly map to the structure of the resulting WAR file. The build process, such as Apache Maven, performs transformations and mappings to create the WAR file.
For example:
The above is the detailed content of What Role Does the WEB-INF Directory Play in Securing a Java EE Web Application?. For more information, please follow other related articles on the PHP Chinese website!