Hello,
As an opening statement, I would point out that this is not a Vaadin specific question, but a general java Web/J2EE question.
You basically have two fundamental choices : if you place the file in WEB-INF\classes or WEB-INF\lib, the file is not visible to the outside world. If you place the file anywhere else inside the web application directory (WebContent) but outside of the WebContent\WEB-INF, the file could be accessible to the end user.
WebContent
super-secret.properties
WEB-INF
classes
hidden.properties
If the web application were deployed to /example, and the user accessed http://theserver/example/super-secret.properties - the file would be downloaded to the end user[1]
. The J2EE spec mandates, I believe, that files in the WEB-INF folder (and below) are not accessible to the front end.
Personally, I would recommend that the file be placed on the classpath. That way, you can use ClassLoader.html#getResourceAsStream to open an input stream. That sounds very complicated, but in fact it’s not (no error checking included):
ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
InputStream stream = classLoader.getResourceAsStream("hidden.properties");
if (stream == null) {
// File not nound
} else {
Properties p = new Properties();
p.load(stream);
}
How do you get the file into the classpath? Simply add it to the root of your source directory. The Eclipse compiler will (almost certainly - Eclipse people tell me if I’m wrong) copy the .properties file to the root of the WebContent\WEB-INF\classes directory, and thus it is simply on the class path.
There are ways to access files in the WebContent directory, but they require a bit more setting up - you need access to the ServletContext, and then you can use ServletContext#getResourceAsStream e.g.
ServletContext context = ... // This is the tricky bit, depends on where you are calling from
InputStream stream = context.getResourceAsStream("/super-secret.properties")
if (stream == null) {
// File not nound
} else {
Properties p = new Properties();
p.load(stream);
}
Sorry this is so long - but it’s not as simple a question as you might imagine.
In short - I recommend using the classpath/classloader method. It’s more secure, and it’ll also work in non web environments.
Cheers,
Charles
[1]
This may not happen in a Vaadin application, actually, because of how the default servlet mapping is. The fundamental principle is right, though.