PQ58377: JSP LOCATED IN THE WEB-INF DIRECTORY IS ACCESSIBLE THROUGH A BROWSER

APAR status
Closed as program error.

Error description
WAS 4.0.1 JSPs located in the WEB-INF directory is accessible
through a browser. According to Servlet 2.2 spec, the WEB-NF is
not part of the public document tree of the application. No file
contained in the WEB-INF directory may be served directly to a
client.
You should *not* be able to open JSP files under the WEB-INF
directory by typing the path into a brwoser.
Keywords: WAS 4.0.1, WEB-INF, JSPs
Local fix Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server developers      *
*                 using jsp's.                                 *
****************************************************************
* PROBLEM DESCRIPTION: WebSphere is serving jsp's located in   *
*                      the web modules WEB-INF directory.      *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Per servlet 2.2 specification, no resources should be served
directly from the WEB-INF directories.
section 9.4 of the servlet 2.2 specification.
==============================================
A special directory exists within the application hierarchy
named "WEB-INF". This directory contains all things related
to the application that aren't in the document root of the
application. It is important to note that the WEB-INF node
is not part of the public document tree of the application.
No file contained in the WEB-INF directory may be served
directly to a client.
Problem conclusion
Modified the invocation of url requests to check for urls
containing WEB-INF or META-INF ( another special directory
located under the document root of a WAR).  If requested
directly throw a file not found exception.
Temporary fix
//wasdoc0/apars/pq58377/4.0.2
Comments
APAR information
APAR number PQ58377
Reported component name WEBSPHERE AE AI
Reported component ID 5630A2200
Reported release 400
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2002-02-25
Closed date 2002-03-29
Last modified date 2002-05-28

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
ENGINE          

Fix information
Fixed component name WEBSPHERE AE AI
Fixed component ID 5630A2200

Applicable component levels
R400 PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ58377
IBM Group: Software Group
Modified date: May 28, 2002