Making static content and JSPs directly accessible

When you deploy static HTML and JSPs, you can choose whether to make them directly accessible from outside the web app. By directly accessible, we mean that a client can enter the path to the resource into his browser, and the server will return the resource. But you can prevent direct access by putting files under WEB-INF or, if you’re deploying as a WAR file, under META-INF.

image with no caption

Note

If the server gets a client request for anything under WEB-INF or META-INF, the Container MUST respond with a 404 NOT FOUND error!

There are no Dumb Questions

Q:

Q: If you can’t serve content from WEB-INF or META-INF, what’s the point of putting pages there??!!

A:

A: Think about that. You have Java classes and class members with package-level (default) access, right? These are classes and members not available to the “public”, but meant for internal use by other classes and members that are publicly exposed. It’s the same way for these non-accessible static content and JSPs. By putting them under WEB-INF (or, with a WAR file, META-INF), you’re protecting them from any direct access, while still allowing other parts of the web app to use them.

You might, for example, want to forward to or include a file while making sure that no client can directly request it. Chances are, if you want to protect a resource from direct access, you’ll use WEB-INF and not META-INF, ...

Get Head First Servlets and JSP, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial