I'm working on a Java EE web application with the following source code structure:
src/main/java <-- multiple packages containing Java classes
src/test/java <-- multiple packages containing JUnit tests
src/main/resources <-- includes properties files for textual messages
src/main/webapp/resources <-- includes CSS, images and all Javascript files
src/main/webapp/WEB-INF
src/main/webapp/WEB-INF/tags
src/main/webapp/WEB-INF/views
The directory I'm interested in WEB-INF
: It contains web.xml
, XML files for setting up servlets, Spring bean wiring contexts and JSP tags and views. I'm trying to understand what constrains/defines this structure. E.g. do JSP files always have to be within WEB-INF
or could they be somewhere else? And is there anything else that might go in WEB-INF
? Wikipedia's WAR files entry mentions classes
for Java classes and lib
for JAR files - not sure I've fully grasped when these would be needed in addition to the other source file locations.
You should put in WEB-INF any pages, or pieces of pages, that you do not want to be public. Usually, JSP or facelets are found outside WEB-INF, but in this case they are easily accesssible for any user. In case you have some authorization restrictions, WEB-INF can be used for that.
WEB-INF/lib can contain 3rd party libraries which you do not want to pack at system level (JARs can be available for all the applications running on your server), but only for this particular applciation.
Generally speaking, many configurations files also go into WEB-INF.
As for WEB-INF/classes - it exists in any web-app, because that is the folder where all the compiled sources are placed (not JARS, but compiled .java files that you wrote yourself).
This convention is followed for security reasons. For example if unauthorized person is allowed to access root JSP file directly from URL then they can navigate through whole application without any authentication and they can access all the secured data.
When you deploy a Java EE web application (using frameworks or not),its structure must follow some requirements/specifications. These specifications come from :
- The servlet container (e.g Tomcat)
- Java Servlet API
- Your application domain
Java Servlet API requirements
Java Servlet API states that your root application directory must have the following structure :
ApplicationName
|
|--META-INF
|--WEB-INF
|_web.xml <-- Here is the configuration file of your web app(where you define servlets, filters, listeners...)
|_classes <--Here goes all the classes of your webapp, following the package structure you defined. Only
|_lib <--Here goes all the libraries (jars) your application need
These requirements are defined by Java Servlet API.
3. Your application domain
Now that you've followed the requirements of the Servlet container(or application server) and the Java Servlet API requirements, you can organize the other parts of your webapp based upon what you need.
- You can put your resources (JSP files, plain text files, script files) in your application root directory. But then, people can access them directly from their browser, instead of their requests being processed by some logic provided by your application. So, to prevent your resources being directly accessed like that, you can put them in the WEB-INF directory, whose contents is only accessible by the server.
-If you use some frameworks, they often use configuration files. Most of these frameworks (struts, spring, hibernate) require you to put their configuration files in the classpath (the "classes" directory).
There is a convention (not necessary) of placing jsp pages under WEB-INF directory so that they cannot be deep linked or bookmarked to. This way all requests to jsp page must be directed through our application, so that user experience is guaranteed.
Source: Stackoverflow.com