Before JSF 2.2, resources such as javascript, css and composite components would be placed at the root of a web archive in a /resources
folder. A security constraint in WEB-INF would accompany this setup to prevent direct access:
<security-constraint>
<display-name>Restrict direct access to JSF resources</display-name>
<web-resource-collection>
<web-resource-name>JSF resources</web-resource-name>
<url-pattern>/resources/*</url-pattern>
</web-resource-collection>
<auth-constraint />
</security-constraint>
In JSF 2.2, however, you can simply put the resources folder in WEB-INF: /WEB-INF/resources
. This gives the resources implicit protection from direct access.
WEB-INF
according to Tomcat documentation and IBM documentation describes it as a folder to store configuration files. It seems like a hack to put non configuration resources in WEB-INF
just to gain the protection of the WEB-INF
directory.
Are both methods of storing the resources identical in their effect? Are their any concrete drawbacks to either method?
You can safety put resources under WEB-INF it will save you from the mistake of forget to protect it from directly access, nothing more ! If you wanna keep in root with protection the effect will be the same.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.