Since JBoss is acting as a middleware - Application Server - I was wondering if it's still possible to face with File Inclusion attacks.(?) The reason I was wandering so is that in such a case, no request will be directly sent to any Storage or DataBase server since JBoss will be stepping in the middle of communication to check for validity and so on, so I thought RFI/LFI might be already prevented by using Application Servers.
If it's yet possible, what can be done to prevent File Inclusion attacks? - not including making sure that PHP is immune enough from malicious codes
OS : RHEL 7
Application Server : JBoss