I need to know how I could disable ability to retrieve list of js/css files from browser when user tries to access resource folder instead of file itself (e.g. by typing http://domain/appname/resources/js
) on webshere 8.5.
According IBM Knowledge Center documentation Web Container default value for directoryBrowsingEnabled
is false
which suggest that I do not necessary need define: <enable-directory-browsing value="false"/>
on ibm-web-ext.xml
in the first place.
On my case WebSphere generates ibm-web-ext.xml
with content:
<?xml version="1.0" encoding="UTF-8"?>
<web-ext xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://websphere.ibm.com/xml/ns/javaee"
xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-web-ext_1_0.xsd" version="1.0">
<jsp-attribute name="reloadEnabled" value="true"/>
<jsp-attribute name="reloadInterval" value="5"/>
</web-ext>
In case I modify and replace ibm-web-ext.xml
with content:
<?xml version="1.0" encoding="UTF-8"?>
<web-ext xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://websphere.ibm.com/xml/ns/javaee"
xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-web-ext_1_0.xsd" version="1.0">
<jsp-attribute name="reloadEnabled" value="true"/>
<jsp-attribute name="reloadInterval" value="5"/>
<enable-directory-browsing value="false"/>
</web-ext>
After application restart seems nothing changed.
Why CSS / JS resources files list accessible from browser even if directoryBrowsingEnabled
flag is set to false
? Seems like directoryBrowsingEnabled
alone isn't enough. What do I missing?
Short answer: directory browsing for WAS is already disabled by default.
Please note that 'directory browsing' mean to be FTP style directory browsing when user can navigate directories by clicking folders upwards / downwards.
My case browsers responds with 200 code by downloading folder as plain text file when user hits http://domain/appname/resources/js
. So it's not previously mentioned 'FTP' style browsing case.
Along with other static resource configuration there was spring mvc resource tag.
<mvc:resources mapping="/**" location="/resources/" />
I do not think that tag alone was cause of this issue. However, by removing it resource directories URL no longer resulting in 200 status code.