问题描述
我有一个包含数百个 HTML、JavaScript 和图像文件的 Web 应用程序.这些文件位于根目录下:
I have a web application that contains hundreds of HTML, JavaScript and image files. These files are located under the root directory:
my_root--
-- html
-- js
-- images
这些文件夹包含一些子文件夹.
These folders contain some subfolders.
出于安全原因,我需要将所有这些资源移动到 WEB-INF 文件夹下,以便无法直接访问它们.
From a security reason I need to move all these resources under the WEB-INF folder so they will not be directly accessible.
目前 JSP 和 servlet 文件已经在 WEB-INF 文件夹下.
Currently JSP and servlet files are already under the WEB-INF folder.
安全地移动 WEB-INF 下的所有 HTML/JavaScript/images 文件夹而不破坏所有链接/转发到这些文件夹中的资源并确保这些资源不可直接访问的最简单方法是什么?
What is the easiest method for me to safely move all HTML/JavaScript/images folders under the WEB-INF without breaking all links/forwarding to resources in these folders and make sure these resources are not directly accessible?
我正在使用 WebSphere 和 WebLogic 服务器.
I am using WebSphere and WebLogic servers.
推荐答案
你在这里犯了一个思维错误.无论如何,HTML/JS/图像(和 CSS)资源需要可以直接访问.对于 JSP,情况有所不同,其中一些(如果不是全部)需要由 servlet 进行预处理(例如,从 DB 检索一些列表以显示在表中).如果直接访问这些 JSP,那么将完全跳过该 servlet 步骤,这绝对不是您想要的(JSP 最终是空的";没有来自 DB 的任何数据).这就是为什么它们应该隐藏在 /WEB-INF
中以防止直接访问而不先通过预处理 servlet.此外,对于基于 servlet 的 MVC 框架,这样整个 MVC 框架过程(收集请求参数、转换/验证它们、更新模型值、调用操作等)将被跳过.
You're making a thiniking mistake here. HTML/JS/image (and CSS) resources need to be directly accessible anyway. For JSPs the story is different, some of them, if not all, need to be preprocessed by a servlet (e.g. to retrieve some list from DB for display in a table). If those JSPs were been accessed directly, then that servlet step would be skipped altogether, which is absolutely not what you want (the JSPs end up "empty"; without any data from the DB). That's why they should be hidden in /WEB-INF
to prevent direct access without going through a preprocessing servlet first. Also, in case of servlet based MVC frameworks, this way the whole MVC framework process (collecting request parameters, converting/validating them, updating model values, invoking actions, etc) would be skipped.
您的具体功能需求并不完全清楚(整个问题本身毫无意义;答案只是不要那样做"),但是如果您实际上想要限制访问对于完全不需要由 servlet 预处理的静态资源,仅对某些用户而言,则需要实现身份验证/登录系统.您可以为此使用容器管理的身份验证或自行开发 Filter
.
Your concrete functional requirement is not exactly clear (the whole question makes at its own no sense; the answer is just "don't do that"), but if you actually want to restrict access to static resources which don't need to be preprocessed by a servlet at all to certain users only, then you need to implement an authentication/login system. You can utilize container managed authentication or homegrow a Filter
for this.
这篇关于在 WEB-INF 下移动资源的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!