I'm working on a Java EE web application with the following source code structure:
src/main/java <-- multiple packages containing java classes
src/test/java <-- multiple packages containing JUnit tests
src/main/resources <-- includes properties files for textual messages
src/main/webapp/resources <-- includes CSS, images and all Javascript files
src/main/webapp/WEB-INF
src/main/webapp/WEB-INF/tags
src/main/webapp/WEB-INF/views
The bit I'm interested in is WEB-INF
- it contains web.xml
, XML files for setting up servlets, Spring bean wiring contexts and JSP tags and views.
The question title's basic but what I'm trying to understand is what constrains/defines this structure. E.g. would JSP files always have to be within WEB-INF
or could they be somewhere else? And is there anything else that might go in WEB-INF
? Wikipedia's WAR files entry mentions classes
for Java classes and lib
for JAR files - not sure I've fully grasped when these would be needed in addition to the other source file locations.
This convention is followed for security reasons. For example if unauthorized person is allowed to access root JSP file directly from URL then they can navigate through whole application without any authentication and they can access all the secured data.
When you deploy a Java EE web application (using frameworks or not),its structure must follow some requirements/specifications. These specifications come from :
If you use Apache Tomcat, the root directory of your application must be placed in the webapp folder. That may be different if you use another servlet container or application server.
Java Servlet API requirements
Java Servlet API states that your root application directory must have the following structure :
These requirements are defined by Java Servlet API.
3. Your application domain
Now that you've followed the requirements of the Servlet container(or application server) and the Java Servlet API requirements, you can organize the other parts of your webapp based upon what you need.
- You can put your resources (JSP files, plain text files, script files) in your application root directory. But then, people can access them directly from their browser, instead of their requests being processed by some logic provided by your application. So, to prevent your resources being directly accessed like that, you can put them in the WEB-INF directory, whose contents is only accessible by the server.
-If you use some frameworks, they often use configuration files. Most of these frameworks (struts, spring, hibernate) require you to put their configuration files in the classpath (the "classes" directory).
You should put in WEB-INF any pages, or pieces of pages, that you do not want to be public. Usually, JSP or facelets are found outside WEB-INF, but in this case they are easily accesssible for any user. In case you have some authorization restrictions, WEB-INF can be used for that.
WEB-INF/lib can contain 3rd party libraries which you do not want to pack at system level (JARs can be available for all the applications running on your server), but only for this particular applciation.
Generally speaking, many configurations files also go into WEB-INF.
As for WEB-INF/classes - it exists in any web-app, because that is the folder where all the compiled sources are placed (not JARS, but compiled .java files that you wrote yourself).
The Servlet 2.4 specification says this about WEB-INF (page 70):
This means that
WEB-INF
resources are accessible to the resource loader of your Web-Application and not directly visible for the public.This is why a lot of projects put their resources like JSP files, JARs/libraries and their own class files or property files or any other sensitive information in the
WEB-INF
folder. Otherwise they would be accessible by using a simple static URL (usefull to load CSS or Javascript for instance).Your JSP files can be anywhere though from a technical perspective. For instance in Spring you can configure them to be in
WEB-INF
explicitly:The
WEB-INF/classes
andWEB-INF/lib
folders mentioned in Wikipedia's WAR files article are examples of folders required by the Servlet specification at runtime.It is important to make the difference between the structure of a project and the structure of the resulting WAR file.
The structure of the project will in some cases partially reflect the structure of the WAR file (for static resources such as JSP files or HTML and JavaScript files, but this is not always the case.
The transition from the project structure into the resulting WAR file is done by a build process.
While you are usually free to design your own build process, nowadays most people will use a standardized approach such as Apache Maven. Among other things Maven defines defaults for which resources in the project structure map to what resources in the resulting artifact (the resulting artifact is the WAR file in this case). In some cases the mapping consists of a plain copy process in other cases the mapping process includes a transformation, such as filtering or compiling and others.
One example: The
WEB-INF/classes
folder will later contain all compiled java classes and resources (src/main/java
andsrc/main/resources
) that need to be loaded by the Classloader to start the application.Another example: The
WEB-INF/lib
folder will later contain all jar files needed by the application. In a maven project the dependencies are managed for you and maven automatically copies the needed jar files to theWEB-INF/lib
folder for you. That explains why you don't have alib
folder in a maven project.There is a convention (not necessary) of placing jsp pages under WEB-INF directory so that they cannot be deep linked or bookmarked to. This way all requests to jsp page must be directed through our application, so that user experience is guaranteed.