Re: WebApps sharing uploaded files
chris wrote: Be careful: if you undeploy the webapp, you will have all those files deleted by Tomcat. Ok. Thank you! André wrote: Thanks. Seen. Lea, do you follow ? Yes, thanks! Ok. I do not properly understand the doc.: http://tomcat.apache.org/tomcat-7.0-doc/config/context.html 1) aliases is an attribute. Is it an attribute of the Context element? 2) I have a context.xml file in META-INF in both w1 and w2. I have tried: 2.A) context.xml ?xml version='1.0' encoding='utf-8'? Context aliases=/attachments=C:\somewhere_1\somewhere_2\somewhere_3 [...] /Context 2.B) I've created a foo.txt file in the directory C:\somewhere_1\somewhere_2\somewhere_3\ 2.C) test_download.html html head titleTest download/title /head body /attachments/foo.txt Foo.txt /body /html When I click the link, I get a 404 error: HTTP Status 404 - /attachments/foo.txt type Status report message /attachments/foo.txt description The requested resource (/attachments/foo.txt) is not available. What am I doing wrong? Thank you and best regards, -- Léa -- View this message in context: http://old.nabble.com/WebApps-sharing-uploaded-files-tp32570911p32595832.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: WebApps sharing uploaded files
Hello. Ok. I found what I was doing wrong and corrected my mistake: added /w1 at the beginning of the href attribute value. See below: 2.C) test_download.html html head titleTest download/title /head body /w1/attachments/foo.txt Foo.txt /body /html Now it works! Best regards, -- Léa -- View this message in context: http://old.nabble.com/WebApps-sharing-uploaded-files-tp32570911p32596193.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: WebApps sharing uploaded files
Hello. Ok. I found what I was doing wrong and corrected my mistake: added /w1 at the beginning of the href attribute value. See below: 2.C) test_download.html html head titleTest download/title /head body /w1/attachments/foo.txt Foo.txt /body /html Now it works! Best regards, -- Léa -- View this message in context: http://old.nabble.com/WebApps-sharing-uploaded-files-tp32570911p32596195.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: WebApps sharing uploaded files
Hello. Ok. I found what I was doing wrong and corrected my mistake: added /w1 at the beginning of the href attribute value. See below: 2.C) test_download.html html head titleTest download/title /head body /w1/attachments/foo.txt Foo.txt /body /html Now it works! Best regards, -- Léa -- View this message in context: http://old.nabble.com/WebApps-sharing-uploaded-files-tp32570911p32596196.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: WebApps sharing uploaded files
Hello André, Do you mean that you are going to create a new JSP for every new file someone may ever upload? No... Or do they always upload the same file f.txt? No... I understand your being puzzled... my bad: the example I posted is oversimple but it works if tested! In reality, the c:choose is dynamic in the JSPs: it is part of a loop which loops through a dynamic list of attachments. And yes you're right, contrary to my original description, there is not a unique uf directory storing both the attachments of w1 and those of w2. Some attachments are in w1\uf1, all the others are in w2\uf2 (it's a partition). That solution is quite good because: - there are no file duplicates, - the JSPs are the same, - I just need a switch inside of them to pick the attachments in the right directory according to a test. What's interesting is that, in the same servlets container, one WebApp has access to another WebApp through /w1/uf1/f.txt /w2/uf2/f.txt type of addressing. Thank you for your interest and best regards, -- Léa -- View this message in context: http://old.nabble.com/WebApps-sharing-uploaded-files-tp32570911p32587503.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: WebApps sharing uploaded files
Hello André, Do you mean that you are going to create a new JSP for every new file someone may ever upload? No... Or do they always upload the same file f.txt? No... I understand your being puzzled... my bad: the example I posted is oversimple but it works if tested! In reality, the c:choose is dynamic in the JSPs: it is part of a loop which loops through a dynamic list of attachments. And yes you're right, contrary to my original description, there is not a unique uf directory storing both the attachments of w1 and those of w2. Some attachments are in w1\uf1, all the others are in w2\uf2 (it's a partition). That solution is quite good because: - there are no file duplicates, - the JSPs are the same, - I just need a switch inside of them to pick the attachments in the right directory according to a test. What's interesting is that, in the same servlets container, one WebApp has access to another WebApp through /w1/uf1/f.txt /w2/uf2/f.txt type of addressing. Thank you for your interest and best regards, -- Léa -- View this message in context: http://old.nabble.com/WebApps-sharing-uploaded-files-tp32570911p32587506.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: WebApps sharing uploaded files
Léa Massiot wrote: ... What's interesting is that, in the same servlets container, one WebApp has access to another WebApp through /w1/uf1/f.txt /w2/uf2/f.txt type of addressing. That's only because you look at it the wrong way. It is not that one webapp has access to another webapp, it is that the user's browser has (apparently) access to both webapps. By the time one of these links gets used, it is because the html page is loaded by the user's browser, the user clicks on one of the links, and the browser sends a new request to the server. What happens then is only a matter of the server deciding if this request, coming from that browser connection, is allowed to access the requested resource. If you add an authentication requirement in one of these webapps, and not in the other, you will see the difference. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: WebApps sharing uploaded files
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Léa, On 9/30/2011 2:37 PM, Léa Massiot wrote: o I have two WebApps w1 and w2 (under the Tomcat webapps directory). o Both w1 and w2 contain (at least) a JSP which allows to upload files to the server. o Presently, the uploaded files are stored: - in the w1\uf1\ directory for w1, - in the w2\uf2\ directory for w2. Be careful: if you undeploy the webapp, you will have all those files deleted by Tomcat. I highly recommend that you place your upload directory or directories safely /outside/ of Tomcat's webapps directory to avoid any possibility of Tomcat deleting those files. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6LK3cACgkQ9CaO5/Lv0PBS+gCeJyiZGOqJzB4d3lGH2puGoWAu fhEAn3qEv8wZZT2+UcAKEZR38eXMZWtW =Tmhq -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: WebApps sharing uploaded files
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Léa, On 9/30/2011 2:37 PM, Léa Massiot wrote: o I have two WebApps w1 and w2 (under the Tomcat webapps directory). o Both w1 and w2 contain (at least) a JSP which allows to upload files to the server. o Presently, the uploaded files are stored: - in the w1\uf1\ directory for w1, - in the w2\uf2\ directory for w2. Be careful: if you undeploy the webapp, you will have all those files deleted by Tomcat. I highly recommend that you place your upload directory or directories safely /outside/ of Tomcat's webapps directory to avoid any possibility of Tomcat deleting those files. Right. But then, Lea's simple scheme for download will stop working. Damn.. Or, wasn't there a possibility to place a symlink within the webapps dir, and have Tomcat /not/ following it when undeploying ? Or was that precisely the catch, that it always does ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: WebApps sharing uploaded files
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 10/4/2011 1:31 PM, André Warnier wrote: Or, wasn't there a possibility to place a symlink within the webapps dir, and have Tomcat /not/ following it when undeploying ? Or was that precisely the catch, that it always does ? Look for aliases: http://tomcat.apache.org/tomcat-7.0-doc/config/context.html - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6LRTgACgkQ9CaO5/Lv0PCTYQCgjwa6es45TZpcKXDdJAF7ZJcx ldgAnRUp90hvnuk3J9zJQ9sg8GK0vmWD =k2fm -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: WebApps sharing uploaded files
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 10/4/2011 1:31 PM, André Warnier wrote: Or, wasn't there a possibility to place a symlink within the webapps dir, and have Tomcat /not/ following it when undeploying ? Or was that precisely the catch, that it always does ? Look for aliases: http://tomcat.apache.org/tomcat-7.0-doc/config/context.html Thanks. Seen. Lea, do you follow ? By the way, in that same page, the next item is : quote allowLinking If the value of this flag is true, symlinks will be allowed inside the web application, pointing to resources outside the web application base path. If not specified, the default value of the flag is false. NOTE: This flag MUST NOT be set to true on the Windows platform (or any other OS which does not have a case sensitive filesystem), as it will disable case sensitivity checks, allowing JSP source code disclosure, among other security problems. unquote Is this second paragraph really well-placed there ? Does allowLinking really influence case-sensitivity ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: WebApps sharing uploaded files
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 10/4/2011 1:56 PM, André Warnier wrote: quote allowLinking If the value of this flag is true, symlinks will be allowed inside the web application, pointing to resources outside the web application base path. If not specified, the default value of the flag is false. NOTE: This flag MUST NOT be set to true on the Windows platform (or any other OS which does not have a case sensitive filesystem), as it will disable case sensitivity checks, allowing JSP source code disclosure, among other security problems. unquote Is this second paragraph really well-placed there ? Does allowLinking really influence case-sensitivity ? I'm not sure. I think, on Windows, links (like My Link.lnk) need to be processed separately, and, of course, case cannot be considered significant on FAT and NTFS. There are other kinds of symlinks (not My Link.lnk) available on NTFS, but I'm not sure of their semantics. Also note that allowLinking can cause problems with Tomcat's slash-and-burn policy when undeploying webapps on *NIX (and possibly on Windows as well). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6LWRAACgkQ9CaO5/Lv0PDJuwCfeZaBGYgxrrZ4cn4RHiJIspUW sqQAnjX5JykypI8V11aR1CmhDp2Fern2 =xaSN -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: WebApps sharing uploaded files
André Warnier a...@ice-sa.com wrote: Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 10/4/2011 1:31 PM, André Warnier wrote: Or, wasn't there a possibility to place a symlink within the webapps dir, and have Tomcat /not/ following it when undeploying ? Or was that precisely the catch, that it always does ? Look for aliases: http://tomcat.apache.org/tomcat-7.0-doc/config/context.html Thanks. Seen. Lea, do you follow ? By the way, in that same page, the next item is : quote allowLinking If the value of this flag is true, symlinks will be allowed inside the web application, pointing to resources outside the web application base path. If not specified, the default value of the flag is false. NOTE: This flag MUST NOT be set to true on the Windows platform (or any other OS which does not have a case sensitive filesystem), as it will disable case sensitivity checks, allowing JSP source code disclosure, among other security problems. unquote Is this second paragraph really well-placed there ? Yes. Does allowLinking really influence case-sensitivity ? Yes. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: WebApps sharing uploaded files
Hello André, Thank you for all these useful advices. Best regards, -- Léa -- View this message in context: http://old.nabble.com/WebApps-sharing-uploaded-files-tp32570911p32582797.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: WebApps sharing uploaded files
Hello, I solved my problem: 1) in WebApp w1, upload files to the directory w1\uf1\, 2) in WebApp w2, upload files to the directory w1\uf2\, 3) then you can have the same JSP foo.jsp for both WebApps. Put one JSP in w1 and another one in w2. The JSP itself contains a switch: c:choose c:when test=a_test a href=/w1/uf1/f.txtLink 1/ a /c:when c:otherwise a href=/w2/uf2/f.txtLink 2/ a /c:otherwise /c:choose Best regards, -- Léa -- View this message in context: http://old.nabble.com/WebApps-sharing-uploaded-files-tp32570911p32583746.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: WebApps sharing uploaded files
It does? Doesn't that mean you have two distinct copies of f.txt? I thought that's what you were trying to avoid. Or are uf1 and uf2 aliases for the same directory? Or was your goal really to have one JSP that would work in w1 and w2? On Mon, 2011-10-03 at 10:15 -0700, Léa Massiot wrote: Hello, I solved my problem: 1) in WebApp w1, upload files to the directory w1\uf1\, 2) in WebApp w2, upload files to the directory w1\uf2\, 3) then you can have the same JSP foo.jsp for both WebApps. Put one JSP in w1 and another one in w2. The JSP itself contains a switch: c:choose c:when test=a_test a href=/w1/uf1/f.txtLink 1/ a /c:when c:otherwise a href=/w2/uf2/f.txtLink 2/ a /c:otherwise /c:choose Best regards, -- Léa - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: WebApps sharing uploaded files
Hello Tim, Ok. - I have only one copy of f.txt. - uf1 and uf2 are two distinct directories, the first in w1, the second in w2. - I have one JSP (same code) but two copies of it, the first in w1, the second in w2. f.txt either lives under uf1 xor uf2. Maybe I'm not clear enough... but that's basically what I was trying to do... Thank you for your interest, -- Léa -- View this message in context: http://old.nabble.com/WebApps-sharing-uploaded-files-tp32570911p32584132.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: WebApps sharing uploaded files
Léa Massiot wrote: Hello, I solved my problem: 1) in WebApp w1, upload files to the directory w1\uf1\, 2) in WebApp w2, upload files to the directory w1\uf2\, 3) then you can have the same JSP foo.jsp for both WebApps. Put one JSP in w1 and another one in w2. The JSP itself contains a switch: c:choose c:when test=a_test a href=/w1/uf1/f.txtLink 1/ a /c:when c:otherwise a href=/w2/uf2/f.txtLink 2/ a /c:otherwise /c:choose From your original description (post of 30/09) I am a bit puzzled as to how this resolves your problem. Do you mean that you are going to create a new JSP for every new file someone may ever upload ? Or do they always upload the same file f.txt ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: WebApps sharing uploaded files
Hello André, Thank you for your answer. awarnier wrote: You can define uf wherever you want, as long as Tomcat (and the applications which run under it, like your JSPs) has write access to it. Actually, I already noticed and tried that and my first question is closely linked to my second question about hrefs... (Questions 1) and 2) aren't really two separate questions.) Thank you for your two interesting suggestions: - creating some kind of downloader servlet, - WebDAV which I know nothing about. This is not an academic project. I just made a schematic picture of the situation. Thanks! -- Léa -- View this message in context: http://old.nabble.com/WebApps-sharing-uploaded-files-tp32570911p32573942.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: WebApps sharing uploaded files
Léa Massiot wrote: Hello André, Thank you for your answer. awarnier wrote: You can define uf wherever you want, as long as Tomcat (and the applications which run under it, like your JSPs) has write access to it. Actually, I already noticed and tried that and my first question is closely linked to my second question about hrefs... (Questions 1) and 2) aren't really two separate questions.) Thank you for your two interesting suggestions: - creating some kind of downloader servlet, - WebDAV which I know nothing about. This is not an academic project. I just made a schematic picture of the situation. Ok. Then, - DAV is a protocol (an extension to HTTP) which allows a client to upload and download files to/from a webserver (and also browse webserver directories) over a HTTP connection. There are DAV clients available for most platforms (Windows, Mac,..). Under Windows, what MS calls web folders is a DAV client integrated in the Windows (disk) Explorer. - before inventing your own scheme, look around to see if there are not already applications which do that. It is more complex than you may think, and there is no need to re-invent the wheel. If you provide some additional details about what your application is supposed to do, maybe someone here can orient you to some existing application. If you insist in creating your own application to do this, then a couple of basic notes : Think first about security. You are going to allow people to write to your server's disks, so be careful. Everything a client sends should be considered as suspect until proven otherwise. For example : - Force clients to authenticate before they can upload files, and log what they do. - Do not allow a client to upload files to your server wherever it wants. For example, if the client can specify the filename, don't allow them to specify things like ../../../etc/passwd. - Do not use the filename supplied by the client as a part of any command that you run on the server, unless you are /absolutely/ sure that it is only an innocent filename. - Upload the files to a location where Tomcat has read/write access, and /only/ Tomcat has access. - Make sure that there is no way that anyone can tell any program on your server to /execute/ any uploaded file. - better: do not use the filename that clients specify, as the filename under which you really write the file on the server. First, people give all kinds of silly names to files, including spaces and other characters that can give you problems (think | e.g.). Second, people will use the same name for different files, and you'll end up overwriting stuff. So on the server side, create your own naming scheme, and some mechanism to associate what the client specifies as a name, with the name you are creating on the server. (Of course then, you may also need to provide a special servlet to allow people to browse files, and another one to allow them to delete files). - set some limit to the size of files that anyone can upload. Otherwise it will not take long before someone paralyses your server (maliciously or not). - filter the /type/ of file that clients can upload. Be restrictive : forbid everything /except/ the types you allow, and not the opposite. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
WebApps sharing uploaded files
Hello, Thank you for reading my post. o I have two WebApps w1 and w2 (under the Tomcat webapps directory). o Both w1 and w2 contain (at least) a JSP which allows to upload files to the server. o Presently, the uploaded files are stored: - in the w1\uf1\ directory for w1, - in the w2\uf2\ directory for w2. (So: each WebApp has its own directory for uploaded files storage). = I need the two Webapps to store their uploaded files in the same directory, say uf. Let's say that: - we have created uf somewhere (where?), - uf contains a successfully uploaded file f.txt, - I have a JSP foo_1.jsp in w1 and a JSP foo_2.jsp in w2. I'd like: - to put an anchor in foo_1.jsp which links to f.txt. -- a href=?_1/f.txtLink 1/ a -- - to put an anchor in foo_2.jsp which links to f.txt. -- a href=?_2/f.txtLink 2/ a -- (I want the files to open properly when the each link is clicked). 1) If it's possible, where shall I create uf? 2) What shall I replace ?_1 and the ?_2 with in the href anchor properties? Please help me. Best regards, -- Léa -- View this message in context: http://old.nabble.com/WebApps-sharing-uploaded-files-tp32570911p32570911.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: WebApps sharing uploaded files
Léa Massiot wrote: Hello, Thank you for reading my post. o I have two WebApps w1 and w2 (under the Tomcat webapps directory). o Both w1 and w2 contain (at least) a JSP which allows to upload files to the server. o Presently, the uploaded files are stored: - in the w1\uf1\ directory for w1, - in the w2\uf2\ directory for w2. (So: each WebApp has its own directory for uploaded files storage). = I need the two Webapps to store their uploaded files in the same directory, say uf. Let's say that: - we have created uf somewhere (where?), You can define uf wherever you want, as long as Tomcat (and the applications which run under it, like your JSPs) has write access to it. - uf contains a successfully uploaded file f.txt, - I have a JSP foo_1.jsp in w1 and a JSP foo_2.jsp in w2. I'd like: - to put an anchor in foo_1.jsp which links to f.txt. -- a href=?_1/f.txtLink 1/ a -- - to put an anchor in foo_2.jsp which links to f.txt. -- a href=?_2/f.txtLink 2/ a -- (I want the files to open properly when the each link is clicked). Then you should probably create another JSP/servlet, whose role is to download the requested file to the browser, and which is called with the file name as an query parameter. It can then read the file wherever uf is, and return it to the browser. Now unless this is a purely academic project to learn about webservers and/or Tomcat, the whole thing sounds a bit over-simple, and does not take into account a lot of dangerous aspects of this kind of application. And if it is not purely an academic project, I would recommend having a look at the WebDAV application, which may be what you are looking for. I wish I could give you a pointer to some documentation about that application, but I can't seem to be able to locate it on the Tomcat website. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org