Do we have to use hashes by default for WEB-INF folders outside the webroot?


If you choose to place WEB-INF outside the webroot (which is a good thing and should be default IMHO), each WEB-INF for each context is stored under the specified folder (i.e c:/Lucee/web-contexts/{web-context-label} ) using a hash, which can be manually overridden in the server admin.

<description>Lucee Web Directory (for Website-specific configurations, settings, and libraries)</description>>

This is rather confusing as you need guess which hash refers to which context if you want to have a look at the web context logs, which makes this more secure option less attractive.

mod_cfml already generates a unique key for each context as can be seen under \lucee\tomcat\conf\Catalina, (i.e localhost-httpd-confl610)

Is there any reason why something like this couldn’t be used by default for {web-context-label}, rather than just a hash?

1 Like


For someone new to the idea, can you give an example of this as it would appear in the tomcat server.xml file?

For example:

		<Host name="" appBase="webapps" unpackWARs="true" autoDeploy="true">
			<Context path="" docBase="/websites/" />

Can you put the WEB-IBF directory somewhere else other than in the web root? How would that look and what other settings or files have to change? Not used to editing anything inside the WEB-INF directory.



Checkout the first link in my post, the change is made in Tomcat’s web.xml



Hey Zac,

If memory serves, you can change them from the hash to your preferred label at the bottom of the Lucee admin’s “Overview” screen. I think… maybe… :wink: … hold my beer…

Okay, yeah. There’s a “label” field and an update button, so I’m pretty sure you can change it there…



I did mention that it can be manually tweaked, I’m asking about making the default more user friendly OOTB



Ah, I missed that part of your message. Sorry for my misunderstanding there…



Commandbox appends a name to the hash which is more meaningful, but even that’s problematic as the paths end up being rather long like this


and there’s a bit of mental overhead required to scan such paths



Actually, that hash that CommandBox uses is a different hash then the Lucee one. Since host name isn’t always unique (most CommandBox servers use localhost), CommandBox hashes the server name (defaulting to the directory in which the web root resides) and the file full system path to the web root. Since commandbox starts a separate JVM for each server, it only has one web context so the hash is actually not a hard requirement. In fact, the serverConfigDir and webConfigDir settings in a CommandBox server will let you stick the web and server contexts anywhere you like with no hashes.



those are command line arguments, not from the .json file?



Both, actually.