Well there are two issues here:
1) What should be or can be setup in the jetty-web.xml
2) What security methods are needed to protect against domain stealing.
The seconds issue is not really a general issue, as it relates to Joels
particular circumstance. Normally we assume that if you have access to
the configuration API, then you are able to do what you like (assuming
no restrictions from a superior security manager).
As for the jetty-web.xml file, this looks like a reasonable part solution
to the virtual host problem. It is only a part solution as there is a
chicken and egg problem - ie where is the context registered initially so
that it can be started to run the jetty-web.xml file which will then
register it at the desired location. The real solution will still be
to support virtual hosts in the original deployment of a web application.
Joels change is a step toward a partial solution, but note that
contexts can be registered for multple hosts, but not for multiple
context paths. Thus you cannot have a context registered at:
host: 0.0.0.0 path /acme/*
and
host: acme.com path /
Thus if you wanted multiple webapplications, served from virutal hosts,
you would end up with:
host: 0.0.0.0 path: / acme1 webapp
host: 0.0.0.0 path: / acme2 webapp
host: acme1.com path: / acme1 webapp
host: acme2.com path: / acme2 webapp
This will work, but acme1 will get preference for requests without a
known host.
If people don't think this is too confusing, then I'll add Joels API to
the HandlerContext class.
As for configuring listeners from the jetty-web.xml file - I don't know
if I like the idea for real deployments, but it sure is great to demonstrate
the power of the jetty config mechanism :-)
cheers
Julian Gosnell wrote:
> This is interesting.
>
> I'm forwarding it to the jboss dev list in case anyone there would like
> to comment....
>
> Greg, This is the sort of thing I had in mind for the web-jetty.xml -
> it's great to see it being taken up so soon. Did you not think that
> there would be issues with trying to set up a virtual host deployment
> from the web-jetty.xml ?
>
> Could we clear this up ? I'd like to know whether this really is a
> solution, or not ?
>
>
> Jules
>
>
> ------------------------ Yahoo! Groups Sponsor ---------------------~-->
> Do you need to encrypt all your online transactions? Secure corporate intranets?
>Authenticate your Web sites? Whatever
> security your site needs, you'll find the perfect solution here!
> http://us.click.yahoo.com/wOMkGD/Q56CAA/yigFAA/CefplB/TM
> ---------------------------------------------------------------------~->
>
> For the latest information about Jetty, please see http://jetty.mortbay.
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
>
> ------------------------------------------------------------------------
>
> Subject:
>
> [jetty-discuss] Virtual Hosts By Web app
> From:
>
> "Joel Shellman" <[EMAIL PROTECTED]>
> Date:
>
> Wed, 12 Sep 2001 10:48:10 -0700
> To:
>
> <[EMAIL PROTECTED]>
>
>
> We're working toward offering jboss/jetty shared hosting accounts. In an
> effort to allow more flexibility, I just modified the code very slightly
> adding a registerHost(String) in HandlerContext that subsequently called
> addContext() on HttpServer. This way in the web-jetty.xml file, you can add
> virtual hosts very easily. It's been working fine. I didn't examine closely
> the extra code in addContext() that might cause duplicates to be in the map
> yet, though.
>
> There is of course one very big problem with doing this:
> This means that one user could try to specify a virtual host that belonged
> to someone else. So let's say the owner of mydomain.com put up his web
> application. But then on the same shared app server, another malicious user
> specified mydomain.com for his web application. Now exactly how Jetty would
> handle that is not really the issue--no matter how it did, it would
> potentially be disruptive, even if they just did something like mount a web
> app at: mydomain.com/makeFunOfMyDomain/ which would then look like it was
> put up by the owner of mydomain.com but wasn't.
>
> Anyway, there seems to be no easy way around it. I wanted to use the
> AutoDeploy functionality of JBoss and so didn't want to have to modify the
> jetty.xml file directly. In fact, since you can set up a listener from
> web-jetty.xml also, I think we could actually leave jetty.xml almost
> completely empty.
>
> Somehow I have to ensure that only an authorized owner of a domain name can
> use it to host their web app. Most of the ideas I have thought of so far are
> a little too complicated, so I'm trying to think of something simple and
> elegant.
>
> Anyway, if anyone has any ideas, I'd be happy to hear them.
>
> Thank you,
>
> Joel Shellman
> iKestrel Full Service Internet Solutions
> [ Design | Flash | eCommerce | Backend | Database | Hosting | Marketing ]
> http://www.ikestrel.com/
>
>
>
> For the latest information about Jetty, please see http://jetty.mortbay.
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
--
Greg Wilkins<[EMAIL PROTECTED]> GB Phone: +44-(0)7092063462
Mort Bay Consulting Australia and UK. Mbl Phone: +61-(0)4 17786631
http://www.mortbay.com AU Phone: +61-(0)2 98107029
_______________________________________________
Jboss-development mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-development
