Securing WEB-INF outside of the root

Hey all -

First off - is moving WEB-INF out of the webroot still a best practice? Sounds like it would be, but worth confirming.

Assuming yes -
I was following along with the docs here -

and made these changes with the new directory (assume the new dir is D:\Lucee\web-contexts\ ).- but there seemed to be no change after a tomcat service restart.

Can I assume there are various other steps too (not in that web-page) like say:

  1. setting up an IIS site to point at the new web-inf dir and
  2. copying over the web-inf dir from the root of the site to the new location D:\Lucee\web-contexts{web-context-label} - ← presumably copying the label from the admin site and replacing the token {web-context-label} with the label - e.g. 12344728df642153244337fb11ba374fbd
  3. updating the web-contexts path in admin


Not really IMO. Web servers and servlets are already configured to not serve files from web-inf so I’ve never seen any sort of vulnerability related to that. But you can do it if it makes you feel better :slight_smile:

Make sure you edited the correct web.xml. Also find Lucee’s out log and see what the little ascii box headers say-- they list out the web context as they are configured with their path. Also, make sure th elines you edited in web.xml aren’t commented out which may not be obvious if you are using a text editor that doesn’t do color coding.

IIS doesn’t need to know anything about this

This isn’t necessary unless you had settings in that web context you didn’t want to lose.

Absolutely not-- you want to have the placeholder in the web.xml, otherwise all your web contexts will share the same folder!

This should not be necessary, in fact I’m not even sure it’s possible.

I’d disagree, never ever put anything under the webroot which doesn’t need to be!


Also, never let any family members get in a car who you don’t want potentially injured in a crash. Life is a series of calculated risks balanced by inconvenience. I’ve yet to find any large risk to a pubic WEB-INF folder so I’m unlikely to deal with much inconvenience in moving it. :slight_smile:

Hey - thanks both of you so much. You guys rock!

  1. I was using notepad on the server and it was commented out - problem solved. mb.
  2. I totally think it is worth reducing the footprint of anything in the webroot - especially since (after the edit) it was minimal effort to switch out.

Hopefully lucee upgrades won’t care about this web-context location. I doubt it.
And IIS boncode connector won’t care about this either from what I am seeing.

oh and one last step - I guess is to manually delete the old web-inf from the root

I think I heard Zac say recently that Lucee 6 will move it out by default. There’s no technical reason to have it there, it was just convenient. CommandBox already keeps it out by default.

No, but it doesn’t matter- you’ve told Lucee where it is so Lucee knows where to find it if it needs it.

Boncode only cares that your servlet is listening on an AJP port, nothing more