What's the use of exposeWebInfOnDispatch=false in WebSphere Application Server?

Question

As question 20378230 points out, IBM WebSphere Application Server (WAS) no longer allows servlets to access files in WEB-INF, except if you set exposeWebInfOnDispatch=true in server.xml (false is the default, as described here).

WEB-INFused to be my location of choice for servlet configuration data and for JSP, TLD, JSF etc files, in order to protect them from direct client access. Does that mean that all JSF, Struts and similar projects have to use this setting? Or is there an alternative strategy to protect such resources in WAS if they are placed outside WEB-INF?

AFAIK, with the default setting WEB-INF may contain only resources directly accessed by the application server, such as libraries, class files and web.xml. Is that correct? Any hints are appreciated.

Answer 1

If you read the related post in the question you are quoting, then you should know that it doesn't apply to JSP, JSF, tld files. It only applies to static files (images, js, etc). And the static files usually shouldn't be served by dispatch from WEB-INF anyway, as they are static and can be served directly, which also allows caching by browsers (for resources like css, images, js).

Alternative strategy to protect static files is to use standard Java EE <security-constraint> in web.xml and define security roles that can access these resources, if they shouldn't be accessible to anyone.