The Servlet 2.4 specification says this about WEB-INF:
A special directory exists within the application hierarchy named
WEB-INF. This directory contains all things related to the application that aren’t in the document root of the application.The
WEB-INFnode is not part of the public document tree of the application. No file contained in the
WEB-INFdirectory may be served directly to a client by the container. However, the contents of the
WEB-INFdirectory are visible to servlet code using the
getResourceAsStreammethod calls on the
ServletContext, and may be exposed using the
This means that
WEB-INF resources are accessible to the classloader of your Web-Application and not directly visible for the public.
This is why a lot of projects put their resources like
JSP files, jars/libraries and their own class files or property files or any other sensitive information in the
—- Another explaination —
You should put in WEB-INF any pages, or pieces of pages, that you do not want to be public. Usually, JSP or facelets are found outside WEB-INF, but in this case they are easily accesssible for any user. In case you have some authorization restrictions, WEB-INF can be used for that.
WEB-INF/lib can contain 3rd party libraries which you do not want to pack at system level (JARs can be available for all the applications running on your server), but only for this particular applciation.
Generally speaking, many configurations files also go into WEB-INF.
As for WEB-INF/classes – it exists in any web-app, because that is the folder where all the compiled sources are placed (not JARS, but compiled .java files that you wrote yourself).