Re: restrict per user public_html to serve static files only...
Kim wrote: Hi, Dear all I'm using tomcat 6.0.35 on linux CentOS 5.7 using sun jdk jdk1.5.0_11. I need to enable public_html for my user but for security reason, I would like restrict the functions to serve static files only. Can anyone tell me how to do that ? Actually I can build tomcat from src and don't mind modify the code base for this specific feature. Can anyone help me to point out which source file I should modify ... Regards, Kim Modifying the Tomcat code base for this seems to me a heavy, non-portable, non-maintainable, non-upgradable solution. You could this with a very simple (*) Servlet Filter. One may already exist which does that. I'd be surprised if you couldn't do that with, for example, the URLRewrite filter. http://www.tuckey.org/urlrewrite/ Rewrite URLs that do not point to static pages, to some error page URL, et voila. (better : rewrite all /public_html/* URLs to the error page, /except/ if they end in \.(xxx|yyy|zzz)) (*) and light and portable and maintainable and upgradable - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
Hi,Andre Thanks for the advice. I do implement a Valve class to capture all the request before forwarding to actual web app. However, I can not know in advance the actual url for the servlet or JSP .. i.e. I can not know from the URI in the Valve class that the resources is static files or servlet ... Regards, Kim 2012/6/27 André Warnier a...@ice-sa.com: Kim wrote: Hi, Dear all I'm using tomcat 6.0.35 on linux CentOS 5.7 using sun jdk jdk1.5.0_11. I need to enable public_html for my user but for security reason, I would like restrict the functions to serve static files only. Can anyone tell me how to do that ? Actually I can build tomcat from src and don't mind modify the code base for this specific feature. Can anyone help me to point out which source file I should modify ... Regards, Kim Modifying the Tomcat code base for this seems to me a heavy, non-portable, non-maintainable, non-upgradable solution. You could this with a very simple (*) Servlet Filter. One may already exist which does that. I'd be surprised if you couldn't do that with, for example, the URLRewrite filter. http://www.tuckey.org/urlrewrite/ Rewrite URLs that do not point to static pages, to some error page URL, et voila. (better : rewrite all /public_html/* URLs to the error page, /except/ if they end in \.(xxx|yyy|zzz)) (*) and light and portable and maintainable and upgradable - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
On 27.06.2012 06:58, Kim wrote: I'm using tomcat 6.0.35 on linux CentOS 5.7 using sun jdk jdk1.5.0_11. I need to enable public_html for my user but for security reason, I would like restrict the functions to serve static files only. Can anyone tell me how to do that ? IMO apache httpd suits better in this situation. There's built in support for public_html directories. Since all you need is to serve static files I see no point in using tomcat. -- Mikolaj Rydzewski m...@ceti.pl - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
Hi,Mikolaj Actually I would like to get rid of apache httpd Regards, Kim 2012/6/27 Mikolaj Rydzewski m...@ceti.pl: On 27.06.2012 06:58, Kim wrote: I'm using tomcat 6.0.35 on linux CentOS 5.7 using sun jdk jdk1.5.0_11. I need to enable public_html for my user but for security reason, I would like restrict the functions to serve static files only. Can anyone tell me how to do that ? IMO apache httpd suits better in this situation. There's built in support for public_html directories. Since all you need is to serve static files I see no point in using tomcat. -- Mikolaj Rydzewski m...@ceti.pl - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
Regarding the style of communications : on this list, it is preferred if posters answer *below* the respective text to which they refer, not on top of the message. It makes it so much easier to follow the flow of the conversation (rather than having to scroll up and down to find the appropriate paragraph). Kim wrote: Hi,Andre Thanks for the advice. I do implement a Valve class to capture all the request before forwarding to actual web app. However, I can not know in advance the actual url for the servlet or JSP .. i.e. I can not know from the URI in the Valve class that the resources is static files or servlet ... How so ? can you explain ? After all, Tomcat itself has to know if the resource being served is a servlet or jsp page or something else, in order to serve it properly. So how come you cannot do the same ? Another question : where is this public_html directory (?) actually located, and what does/can it contain, other than static pages ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
Hi, Andre How so ? can you explain ? After all, Tomcat itself has to know if the resource being served is a servlet or jsp page or something else, in order to serve it properly. So how come you cannot do the same ? ans : each user can have his/her own web.xml and can do whatever URL mapping in web.xml to serve his/her serlvet ... That's why I can not know in advance unless I go into the user WEB-INF to do the parsing ... Another question : where is this public_html directory (?) actually located, and what does/can it contain, other than static pages ? ans : I configure tomcat to enable per-user web as follows: Listener className=org.apache.catalina.startup.UserConfig directoryName=public_html homeBase=/share/home userClass=org.apache.catalina.startup.HomesUserDatabase/ Regards, Kim 2012/6/27 André Warnier a...@ice-sa.com: Regarding the style of communications : on this list, it is preferred if posters answer *below* the respective text to which they refer, not on top of the message. It makes it so much easier to follow the flow of the conversation (rather than having to scroll up and down to find the appropriate paragraph). Kim wrote: Hi,Andre Thanks for the advice. I do implement a Valve class to capture all the request before forwarding to actual web app. However, I can not know in advance the actual url for the servlet or JSP .. i.e. I can not know from the URI in the Valve class that the resources is static files or servlet ... How so ? can you explain ? After all, Tomcat itself has to know if the resource being served is a servlet or jsp page or something else, in order to serve it properly. So how come you cannot do the same ? Another question : where is this public_html directory (?) actually located, and what does/can it contain, other than static pages ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
Kim wrote: Hi, Andre How so ? can you explain ? After all, Tomcat itself has to know if the resource being served is a servlet or jsp page or something else, in order to serve it properly. So how come you cannot do the same ? ans : each user can have his/her own web.xml and can do whatever URL mapping in web.xml to serve his/her serlvet ... That's why I can not know in advance unless I go into the user WEB-INF to do the parsing Right, so you /are/ trying to implement something like the ~userdir of Apache httpd. I tend to agree with Mikolaj then, you may be better off keeping Apache httpd for that. Or else, this is the kind of situation for which the security manager of Tomcat (actually of Java) may be the way to go. If individual users can upload stuff and have it served by Tomcat, at least restrict whatever these things can actually do. Have a look first at the file (catalina_home)/conf/catalina.policy, section WEB APPLICATION PERMISSIONS. It seems to me that by not granting those permissions (other than to your own webapps), you can greatly restrict what users can do. As long as the users don't have access to (catalina_base)/conf of course. It also means of course that you /must/ grant these permissions to your own webapps, which tends to be a p.i.t.a. But then, you have an open system, so it belongs to you to close the holes. ... Another question : where is this public_html directory (?) actually located, and what does/can it contain, other than static pages ? ans : I configure tomcat to enable per-user web as follows: Listener className=org.apache.catalina.startup.UserConfig directoryName=public_html homeBase=/share/home userClass=org.apache.catalina.startup.HomesUserDatabase/ Regards, Kim 2012/6/27 André Warnier a...@ice-sa.com: Regarding the style of communications : on this list, it is preferred if posters answer *below* the respective text to which they refer, not on top of the message. It makes it so much easier to follow the flow of the conversation (rather than having to scroll up and down to find the appropriate paragraph). Kim wrote: Hi,Andre Thanks for the advice. I do implement a Valve class to capture all the request before forwarding to actual web app. However, I can not know in advance the actual url for the servlet or JSP .. i.e. I can not know from the URI in the Valve class that the resources is static files or servlet ... How so ? can you explain ? After all, Tomcat itself has to know if the resource being served is a servlet or jsp page or something else, in order to serve it properly. So how come you cannot do the same ? Another question : where is this public_html directory (?) actually located, and what does/can it contain, other than static pages ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
2012/6/27 Kim k...@aerodrive.com: Hi, Dear all I'm using tomcat 6.0.35 on linux CentOS 5.7 using sun jdk jdk1.5.0_11. I need to enable public_html for my user but for security reason, I would like restrict the functions to serve static files only. Can anyone tell me how to do that ? Actually I can build tomcat from src and don't mind modify the code base for this specific feature. Can anyone help me to point out which source file I should modify ... For reference, User Web Applications feature is implemented via a Listener, o.a.catalina.startup.UserConfig which enumerates users and deploys their web applications. Documentation is in config/listeners.html and config/host.html. Currently it creates web application for each user when Tomcat starts. Probably it could be improved to perform such deployment once in a while on Lifecycle.PERIODIC_EVENT. First, you need to prevent not only jsps, but servlets as well. I think I would create my own UserConfig listener so that it would skip directories that have WEB-INF and META-INF directories in them. Things to beware are WEB-INF/web.xml, WEB-INF/lib (because of web fragments feature of Servlet 3.0), WEB-INF/classes (unlikely, but just to be sure; maybe it could be used to reconfigure logging). There should not be META-INF/context.xml file. (Though as far as I remember when an application is deployed via UserConfig the context.xml file is ignored). Second, Processing of Jsp files can be enabled though two constructs a) explicit mapping of JspServlet, like it is done in conf/web.xml b) implicitly by using jsp-property-group with url pattern that patches the file. I think that removing JspServlet mappings from global conf/web.xml will disable JSP processing for you. 2012/6/27 André Warnier a...@ice-sa.com: Have a look first at the file (catalina_home)/conf/catalina.policy, section WEB APPLICATION PERMISSIONS. It seems to me that by not granting those permissions (other than to your own webapps), you can greatly restrict what users can do. Note that regardless of contents of conf/catalina.policy every web application is granted permission to load its own classes and write to its own temporary directory. The servlet spec requires it. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: restrict per user public_html to serve static files only...
From: Kim [mailto:k...@aerodrive.com] Subject: Re: restrict per user public_html to serve static files only... Please do not top-post; it's rude and annoying. each user can have his/her own web.xml and can do whatever URL mapping in web.xml to serve his/her servlet ??? You first say users cannot have dynamic content, then state that users can have their own servlets. Both can't be true at the same time. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
Hi, Charles Really sorry as I'm new here. ok. here is the ans to your question - You first say users cannot have dynamic content, then state that users can have their own servlets. Both can't be true at the same time. ans : I would like to restrict the per user web application to only serve static files only. But the current implementation of Tomcat would enable web application on a per user basic, i.e. they can deploy a web.xml in WEB-INF and execute servlet or JSP in tomcat. Regards, Kim 2012/6/27 Caldarale, Charles R chuck.caldar...@unisys.com: From: Kim [mailto:k...@aerodrive.com] Subject: Re: restrict per user public_html to serve static files only... Please do not top-post; it's rude and annoying. each user can have his/her own web.xml and can do whatever URL mapping in web.xml to serve his/her servlet ??? You first say users cannot have dynamic content, then state that users can have their own servlets. Both can't be true at the same time. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
Kim, when we ask to not top-post, here is what we mean. This is a correctly formatted version of your last message : -- start Hi, Charles Really sorry as I'm new here. 2012/6/27 Caldarale, Charles R chuck.caldar...@unisys.com: From: Kim [mailto:k...@aerodrive.com] Subject: Re: restrict per user public_html to serve static files only... Please do not top-post; it's rude and annoying. each user can have his/her own web.xml and can do whatever URL mapping in web.xml to serve his/her servlet ??? You first say users cannot have dynamic content, then state that users can have their own servlets. Both can't be true at the same time. I would like to restrict the per user web application to only serve static files only. But the current implementation of Tomcat would enable web application on a per user basic, i.e. they can deploy a web.xml in WEB-INF and execute servlet or JSP in tomcat. Regards, Kim -- end You see, it's easy to read, in a logical order, thus easy to know which answer relates to which question/remark. And it saves you retyping the question. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
Hi, Kolinko Really thanks. Yes, I have hunt down to UserConfig in the source tree on Tomcat and can modify UserConfig.java to skip those user context if there exists a /WEB-INF/web.xml in their public_html directory. And I can also insert a Valve filter to skip those URL with jsp extension ... But I do think it's very clumsy solution and I'm looking for a more elegant solution in that for a per-user web application the only serlvet that can be invoked is the DefaultServlet that serve static files only.. Regards, Kim For reference, User Web Applications feature is implemented via a Listener, o.a.catalina.startup.UserConfig which enumerates users and deploys their web applications. Documentation is in config/listeners.html and config/host.html. Currently it creates web application for each user when Tomcat starts. Probably it could be improved to perform such deployment once in a while on Lifecycle.PERIODIC_EVENT. First, you need to prevent not only jsps, but servlets as well. I think I would create my own UserConfig listener so that it would skip directories that have WEB-INF and META-INF directories in them. Things to beware are WEB-INF/web.xml, WEB-INF/lib (because of web fragments feature of Servlet 3.0), WEB-INF/classes (unlikely, but just to be sure; maybe it could be used to reconfigure logging). There should not be META-INF/context.xml file. (Though as far as I remember when an application is deployed via UserConfig the context.xml file is ignored). Second, Processing of Jsp files can be enabled though two constructs a) explicit mapping of JspServlet, like it is done in conf/web.xml b) implicitly by using jsp-property-group with url pattern that patches the file. I think that removing JspServlet mappings from global conf/web.xml will disable JSP processing for you. 2012/6/27 André Warnier a...@ice-sa.com: Have a look first at the file (catalina_home)/conf/catalina.policy, section WEB APPLICATION PERMISSIONS. It seems to me that by not granting those permissions (other than to your own webapps), you can greatly restrict what users can do. Note that regardless of contents of conf/catalina.policy every web application is granted permission to load its own classes and write to its own temporary directory. The servlet spec requires it. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
Hi, Warnier 2012/6/27 André Warnier a...@ice-sa.com: Kim, when we ask to not top-post, here is what we mean. This is a correctly formatted version of your last message : -- start Hi, Charles Really sorry as I'm new here. 2012/6/27 Caldarale, Charles R chuck.caldar...@unisys.com: From: Kim [mailto:k...@aerodrive.com] Subject: Re: restrict per user public_html to serve static files only... Please do not top-post; it's rude and annoying. each user can have his/her own web.xml and can do whatever URL mapping in web.xml to serve his/her servlet ??? You first say users cannot have dynamic content, then state that users can have their own servlets. Both can't be true at the same time. I would like to restrict the per user web application to only serve static files only. But the current implementation of Tomcat would enable web application on a per user basic, i.e. they can deploy a web.xml in WEB-INF and execute servlet or JSP in tomcat. Regards, Kim -- end You see, it's easy to read, in a logical order, thus easy to know which answer relates to which question/remark. And it saves you retyping the question. I got it now. Thanks for the help and really sorry for my mistake. Regards, Kim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
