Hello
See the javadoc for javax.servlet.ServletContext.getResourceAsStream():
>
> *This method bypasses both implicit (no direct access to WEB-INF or
> META-INF) and explicit (defined by the webapplication) security
> constraints. Care should be taken both when constructing the path (e.g.
> avoid unsanitizeduser provided data) and when using the result not to
> create a security vulnerability in the application.*
>
so you're right - you can get the class stream using SC.getResource().
In Pax Web you have 3 specifications (OSGi CMPN chapters):
- 102 - HttpService
- 128 - Web Applications
- 140 - Whiteboard
CMPN 102 says that ServletContext.getResource() is "supported by
org.osgi.service.http.HttpContext#getResource()" - see
https://docs.osgi.org/specification/osgi.cmpn/7.0.0/service.http.html#org.osgi.service.http.HttpContext
Also "102.10.3.1 public HttpContext createDefaultHttpContext()" says
explicitly:
*getResource - Assumes the named resource is in the context bundle; this
> method calls the context bundle's Bundle.getResource method, and returns
> the appropriate URL to access the resource*
>
CMPN 128 has chapter
https://docs.osgi.org/specification/osgi.cmpn/7.0.0/service.war.html#i3096883
but it's about "default servlet" and which resources are accessible -
there's nothing about javax.servlet.ServletContext.
https://docs.osgi.org/specification/osgi.cmpn/7.0.0/service.war.html#i3082990
("128.6.3 Resource Lookup") says:
*The getResource and getResourceAsStream methods of the ServletContext
> interface are used to access resources in the web application. For a WAB,
> these resources must be found according to the findEntries method, this
> method includes fragments. For the getResource and getResourceAsStream
> method, if multiple resources are found, then the first one must be used. *
>
So Bundle.getResource() (classLoader-like access) in CMPN 102 vs.
Bundle.FindEntries() (non-classLoader-like access) in CMPN 128.
CMPN 140 has special table
https://docs.osgi.org/specification/osgi.cmpn/7.0.0/service.http.whiteboard.html#d0e119708
and it says:
getResource(String) – Backed by the ServletContextHelper
>
so org.osgi.service.http.context.ServletContextHelper#getResource() is used
- this time (differently than in CMPN 102) there'a actual default
implementation (instead of just JavaDoc):
public URL getResource(String name) {
> if ((name != null) && (bundle != null)) {
> if (name.startsWith("/")) {
> name = name.substring(1);
> }
> return bundle.getEntry(name);
> }
> return null;
> }
>
So this time - Bundle.getEntry() (non-classLoader-like access).
I hope this helps and gives you right context (sic!).
regards
Grzegorz Grzybek
śr., 2 lut 2022 o 19:25 Daniel Stoch napisał(a):
> Hi,
>
> In Wicket web framework if some request url has not a dedicated/registered
> handler in application then WicketServlet fallbacks processing to return a
> resource from ServletContext as a response content:
>
> InputStream stream = getServletContext().getResourceAsStream(url);
> String mimeType = getServletContext().getMimeType(url);
>
> I don't know if this is Wicket specific thing or a common use case in Java
> Servlets world? :)
> The problem is, that by default PaxWeb (DefaultHttpContext) allows to
> return all resources available in bundle (because all calls are delegated
> to Bundle methods like: getResource, getEntryPaths).
>
> In this way user can prepare a special url in a browser (eg.
> http://our_app_url/com/somepackage/SampleClass.class) and our application
> will return the content of any resource which is part of a bundle (for
> which DefaultHttpContext was created).
> I try to find how to block this behaviour (block access to these internal
> files in bundle), maybe I forgot to configure something or I am doing
> something wrong?
>
> PS. We are using PaxWeb 7.
>
> --
> Best regards,
> Daniel
>
> --
> --
> --
> OPS4J - http://www.ops4j.org - ops4j@googlegroups.com
>
> ---
> You received this message because you are subscribed to the Google Groups
> "OPS4J" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ops4j+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ops4j/ce196bee-0102-43db-a26f-d3ba374d7f89n%40googlegroups.com
>
> .
>
--
--
--
OPS4J - http://www.ops4j.org - ops4j@googlegroups.com
---
You received this message because you are subscribed to the Google Groups
"OPS4J" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ops4j+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ops4j/CAAdXmhomDxQvS%2BETYAADQEhGNF1ura%3DcwDhiW%2Bx-EH_%2Btmviog%40mail.gmail.com.
