First off - is moving WEB-INF out of the webroot still a best practice? Sounds like it would be, but worth confirming.
Assuming yes -
I was following along with the docs here -
and made these changes with the new directory (assume the new dir is D:\Lucee\web-contexts\ ).- but there seemed to be no change after a tomcat service restart.
Can I assume there are various other steps too (not in that web-page) like say:
setting up an IIS site to point at the new web-inf dir and
copying over the web-inf dir from the root of the site to the new location D:\Lucee\web-contexts{web-context-label} - â presumably copying the label from the admin site and replacing the token {web-context-label} with the label - e.g. 12344728df642153244337fb11ba374fbd
Not really IMO. Web servers and servlets are already configured to not serve files from web-inf so Iâve never seen any sort of vulnerability related to that. But you can do it if it makes you feel better
Make sure you edited the correct web.xml. Also find Luceeâs out log and see what the little ascii box headers say-- they list out the web context as they are configured with their path. Also, make sure th elines you edited in web.xml arenât commented out which may not be obvious if you are using a text editor that doesnât do color coding.
IIS doesnât need to know anything about this
This isnât necessary unless you had settings in that web context you didnât want to lose.
Absolutely not-- you want to have the placeholder in the web.xml, otherwise all your web contexts will share the same folder!
This should not be necessary, in fact Iâm not even sure itâs possible.
Also, never let any family members get in a car who you donât want potentially injured in a crash. Life is a series of calculated risks balanced by inconvenience. Iâve yet to find any large risk to a pubic WEB-INF folder so Iâm unlikely to deal with much inconvenience in moving it.
I was using notepad on the server and it was commented out - problem solved. mb.
I totally think it is worth reducing the footprint of anything in the webroot - especially since (after the edit) it was minimal effort to switch out.
Hopefully lucee upgrades wonât care about this web-context location. I doubt it.
And IIS boncode connector wonât care about this either from what I am seeing.
oh and one last step - I guess is to manually delete the old web-inf from the root
Cheers
I think I heard Zac say recently that Lucee 6 will move it out by default. Thereâs no technical reason to have it there, it was just convenient. CommandBox already keeps it out by default.
No, but it doesnât matter- youâve told Lucee where it is so Lucee knows where to find it if it needs it.
Boncode only cares that your servlet is listening on an AJP port, nothing more