The WEB-INF directory is a special directory defined by the Servlet specification that must be created for all web applications.
This directory and its contents are protected from direct HTTP access by the servlet container, providing a secure location for application configuration and private resources.
You can create your own files and directories under WEB-INF ("/WEB-INF/config/", "/WEB-INF/templates/"), but direct access via HTTP requests to these files will be denied by the servlet container with an HTTP 404 error.
This security feature allows you to store sensitive configuration files, templates, or other resources that should not be directly accessible to web users.
The WEB-INF directory contains several standard subdirectories and files defined by the Servlet specification:
-
/WEB-INF/web.xml: The deployment descriptor file that contains configuration information for the web application, including servlet mappings, security constraints, and initialization parameters.
-
/WEB-INF/classes/: Contains compiled Java class files that are not packaged in JAR files.
This includes servlets, filters, listeners, and utility classes.
Classes must be organized in a directory structure that matches their package hierarchy.
For example, a class "LoginServlet.class" in package "com.example.servlets" should be located at "/WEB-INF/classes/com/example/servlets/LoginServlet.class".
-
/WEB-INF/lib/: Contains JAR files that provide additional libraries and dependencies for your web application.
These JAR files are automatically added to the application's classpath by the servlet container.
The servlet container follows a specific class loading order: classes in "/WEB-INF/classes/" are loaded before classes contained in JAR files in "/WEB-INF/lib/".
This allows you to override classes from JAR files by placing updated versions in the classes directory.