Just use the real directory.
Change this ...
<Set name="resourceBase"><SystemProperty name="jetty.base"
default="."/>/code/well-known</Set>
To ...
<Set name="resourceBase">/path/to/well-known</Set>
There's alias checking is what is biting you, it's in place to prevent
various protected directory bypasses.
Since the requested resource `/letsencrypt.id` is used against your
resourceBase.resolve("/letsencrypt.id") and the resulting resource has a
different path than its real path, this is viewed as an alias.
There's a variety of bypasses of protected directories if this is allowed.
(think windows 8.3, or windows alt names, or various linux utf-8 filesystem
normalizations, or even osx utf-16 filesystem translation behaviors).
Joakim Erdfelt / joa...@webtide.com
On Wed, Jul 20, 2022 at 10:23 PM scottastanley--- via jetty-users <
jetty-users@eclipse.org> wrote:
> For my application, I use Let's Encrypt for my ssl certificate validating
> using the .well-known. I define the web application for well-known with a
> simple deployment descriptor.
>
> <?xml version=*"1.0"* encoding=*"UTF-8"*?>
>
> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "
> https://www.eclipse.org/jetty/configure_10_0.dtd";>
>
>
> <Configure class=*"org.eclipse.jetty.server.handler.ContextHandler"*>
>
> <Set name=*"contextPath"*>/.well-known</Set>
>
> <Set name=*"handler"*>
>
> <New class=*"org.eclipse.jetty.server.handler.ResourceHandler"*>
>
> <Set name=*"resourceBase"*><SystemProperty name=*"jetty.base"*
> default=*"."*/>/code/well-known</Set>
>
> <Set name=*"directoriesListed"*>false</Set>
>
> </New>
>
> </Set>
> </Configure>
>
> The /code/well-known in jetty base is a symbolic link to the actual
> folder containing any files to be deployed. When I upgraded from Jetty 9.4
> to Jetty 11, this no longer works. When trying to access any files under
> the .well-known path I am getting a 404.
>
> HTTP ERROR 404 Not Found
> URI: /.well-known/A
> STATUS: 404
> MESSAGE: Not Found
> SERVLET: default
>
> If I change the resourceBase to be the actual path without a symbolic
> link, everything works fine.
>
> Has anyone else run in to this problem? Is there a configuration that I
> can change to allow this or is this a bug in the newer version of Jetty? If
> it is a bug, can someone point me at it so I can keep track of any
> resolution.
>
> Scott
>
>
> _______________________________________________
> jetty-users mailing list
> jetty-users@eclipse.org
> To unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/jetty-users
>
_______________________________________________
jetty-users mailing list
jetty-users@eclipse.org
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
