What is WEB-INF used for in a Java EE web application

Question

I m working on a Java EE web application with the following source code structure  src main java                  lt -- multiple packages containing Java classes src test java                  lt -- multiple packages containing JUnit tests src main resources             lt -- includes properties files for textual messages src main webapp resources      lt -- includes CSS  images and all Javascript files src main webapp WEB-INF src main webapp WEB-INF tags src main webapp WEB-INF views  The directory I m interested in WEB-INF  It contains web xml  XML files for setting up servlets  Spring bean wiring contexts and JSP tags and views  I m trying to understand what constrains defines this structure  E g  do JSP files always have to be within WEB-INF or could they be somewhere else  And is there anything else that might go in WEB-INF  Wikipedia s WAR files entry mentions classes for Java classes and lib for JAR files - not sure I ve fully grasped when these would be needed in addition to the other source file locations

User · Answer

When you deploy a Java EE web application (using frameworks or not),its structure must follow some requirements/specifications. These specifications come from :

The servlet container (e.g Tomcat)

Java Servlet API

Your application domain

The Servlet container requirements
If you use Apache Tomcat, the root directory of your application must be placed in the webapp folder. That may be different if you use another servlet container or application server.

Java Servlet API requirements
Java Servlet API states that your root application directory must have the following structure :

ApplicationName
|
|--META-INF
|--WEB-INF
      |_web.xml       <-- Here is the configuration file of your web app(where you define servlets, filters, listeners...)
      |_classes       <--Here goes all the classes of your webapp, following the package structure you defined. Only 
      |_lib           <--Here goes all the libraries (jars) your application need

These requirements are defined by Java Servlet API.

3. Your application domain
Now that you've followed the requirements of the Servlet container(or application server) and the Java Servlet API requirements, you can organize the other parts of your webapp based upon what you need.
- You can put your resources (JSP files, plain text files, script files) in your application root directory. But then, people can access them directly from their browser, instead of their requests being processed by some logic provided by your application. So, to prevent your resources being directly accessed like that, you can put them in the WEB-INF directory, whose contents is only accessible by the server.
-If you use some frameworks, they often use configuration files. Most of these frameworks (struts, spring, hibernate) require you to put their configuration files in the classpath (the "classes" directory).

User · Answer

The Servlet 2 4 specification says this about WEB-INF  page 70       A special directory exists within the application hierarchy named   WEB-INF  This directory contains all things related to the   application that aren   t in the document root of the application  The   WEB-INF node is not part of the public document tree of the   application  No file contained in the WEB-INF directory may be served   directly to a client by the container  However  the contents of the   WEB-INF directory are visible to servlet code using the getResource   and getResourceAsStream method calls on the ServletContext  and may   be exposed using the RequestDispatcher calls    This means that WEB-INF resources are accessible to the resource loader of your Web-Application and not directly visible for the public    This is why a lot of projects put their resources like JSP files  JARs libraries and their own class files or property files or any other sensitive information in the WEB-INF folder  Otherwise they would be accessible by using a simple static URL  usefull to load CSS or Javascript for instance    Your JSP files can be anywhere though from a technical perspective  For instance in Spring you can configure them to be in WEB-INF explicitly     lt bean id  viewResolver  class  org springframework web servlet view InternalResourceViewResolver      p prefix   WEB-INF jsp        p suffix   jsp   gt   lt  bean gt    The WEB-INF classes and WEB-INF lib folders mentioned in Wikipedia s WAR files article are examples of folders required by the Servlet specification at runtime   It is important to make the difference between the structure of a project and the structure of the resulting WAR file    The structure of the project will in some cases partially reflect the structure of the WAR file  for static resources such as JSP files or HTML and JavaScript files  but this is not always the case   The transition from the project structure into the resulting WAR file is done by a build process    While you are usually free to design your own build process  nowadays most people will use a standardized approach such as Apache Maven  Among other things Maven defines defaults for which resources in the project structure map to what resources in the resulting artifact  the resulting artifact is the WAR file in this case   In some cases the mapping consists of a plain copy process in other cases the mapping process includes a transformation  such as filtering or compiling and others   One example  The WEB-INF classes folder will later contain all compiled java classes and resources  src main java and src main resources  that need to be loaded by the Classloader to start the application    Another example  The WEB-INF lib folder will later contain all jar files needed by the application  In a maven project the dependencies are managed for you and maven automatically copies the needed jar files to the WEB-INF lib folder for you  That explains why you don t have a lib folder in a maven project

User · Answer

There is a convention  not necessary  of placing jsp pages under WEB-INF directory so that they cannot be deep linked or bookmarked to  This way all requests to jsp page must be directed through our application  so that user experience is guaranteed

User · Answer

You should put in WEB-INF any pages  or pieces of pages  that you do not want to be public  Usually  JSP or facelets are found outside WEB-INF  but in this case they are easily accesssible for any user  In case you have some authorization restrictions  WEB-INF can be used for that    WEB-INF lib can contain 3rd party libraries which you do not want to    pack at system level  JARs can be available for all the applications    running on your server   but only for this particular applciation   Generally speaking  many configurations files also go into WEB-INF    As for WEB-INF classes - it exists in any web-app  because that is the folder where all the compiled sources are placed  not JARS  but compiled  java files that you wrote yourself

User · Answer

This convention is followed for security reasons  For example if unauthorized person is allowed to access root JSP file directly from URL then they can navigate through whole application without any authentication and they can access all the secured data

[java] What is WEB-INF used for in a Java EE web application?

Examples related to java

Examples related to servlets

Examples related to war

Examples related to java-ee-7

Examples related to web-inf