8571 – c:import of files under WEB-INF/

Bug 8571 - c:import of files under WEB-INF/

Summary: c:import of files under WEB-INF/

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Taglibs
Classification:	Unclassified
Component:	Standard Taglib (show other bugs)
Version:	1.0
Hardware:	Other other

Importance:	P3 normal (vote)
Target Milestone:	---
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2002-04-26 21:53 UTC by daishi
Modified:	2004-11-16 19:05 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description daishi 2002-04-26 21:53:27 UTC

I'm not sure from the spec what the intended behavior here is,
but the current implementation appears to behave a bit inconsistently.

From a jsp at the top dir of my webapp, if I try to:
a) <c:import url="WEB-INF/somefile" var="foo"/>
or
b) <c:import url="/WEB-INF/somefile" var="foo"/>

foo does not get bound to anything. However,
if i do:
c) <c:import url="./WEB-INF/somefile" var="foo"/>

Then things "work".

From a user perspective you'd expect a) and c) to both
be considered relative and either work or not work together,
while b) is absolute and could be different. I would prefer
that the contents of WEB-INF be visible in all cases, but
I'm not sure I understand what the specs say on this.

From examining org/apache/taglibs/standard/tag/common/core/ImportSupport.java
it looks like targetUrl gets normalized to be absolute in acquireString by
prefixing the servlet path, causing this.

This problem is particular to the WEB-INF directory;
all other directories have behaved fine.

Comment 1 Shawn Bayern 2002-04-29 19:52:10 UTC

Hi there.  Thanks for the report.

I agree that the behavior you describe is somewhat awkward, but this one's not
ours.  In the first two cases, we're acquiring a RequestDispatcher for
"/WEB-INF/foo.txt"; in the final one, we're acquiring one literally for
"/./WEB-INF/foo.txt", which I believe is acceptable to the JSTL spec.  The
problem is that the underlying container (Tomcat in my case, and probably in
yours too if you experience the same behavior) treats these differently.  I'm
not 100% sure which is the bug; I believe it depends on how you read the Servlet
spec, though others claim they're sure that RequestDispatcher *should* be able
to retrieve content from within /WEB-INF.  Either way, the inconsistency isn't
ours; it's the underlying container's.  Sorry.

If this is a show-stopper for you, I suggest you submit a bug report to the
Tomcat team, in terms of the behavior of ServletContext.getRequestDispatcher()
(not in terms of <c:import>, with which they might not be familiar).  I'd submit
the bug report myself, but I'm swamped and don't have time to test on the
various Tomcat versions at the moment.

Please let me know if you have some additional reason, contrary to what I have
suggested here, indicating this is indeed a JSTL bug.  Thanks again for the
report.

Comment 2 Shawn Bayern 2002-05-01 16:59:06 UTC

By the way, it could also just be a configuration issue:  can your security
manager be made less restrictive?

Comment 3 Shawn Bayern 2002-05-01 17:17:15 UTC

Ignore that last comment; it was for a different bug.