Finally I'll add the restriction on publication, but anyway it would nice to
know whether there's a solution to prevent the JSP from being served (yes,
retrieving an error message or just returning the JSP contents without executing
the class would be alright), at least for the sake of knowing.
The only problem with your alternative is that the mapping is not valid: Perhaps
Tomcat accepts it (I don't think so, as manymonths ago I tried similar mappings
and did not succeed), but anyway the servlet specs only regard four types of
mapping:
- exact path,
- directory ("/foo/bar/*"),
- extension ("*.jsp"),
- default("/").
I don't know why (performance?), but there's no place for things like
"/whatever/*.ext".
About Tim's answer, there are some things that I don't see clear, basically
dealing with the default servlet. The default servlet is after all a servlet, so
it ought to be "forwardable" (something to do with having it defined in the
general web.xml and the forwarder servlet in the app's?). Anyway, the security
constraint seems the best approach. I'll look up the security documentation.
Thank you very much (though alternatives are still welcome, as I said before).
Albert.
----- Original Message -----
From: "Ben Souther" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Sent: Friday, December 12, 2003 3:36 PM
Subject: Re: Disabling JSP execution under certain dirs
It sounds like Albert wants certain (static) files to be viewable.
He just doesn't want anyone to be able to execute JSPs from this directory.
One thing you could try is a servlet mapping that sends all requests ending in
that directory that end with .jsp to a servlet that sends back a message
("FORBIDDEN FILE").
<servlet-mapping>
<servlet-name>ForbiddenFileServlet</servlet-name>
<url-pattern>/DIRECTORY_NAME/*.jsp</url-pattern>
</servlet-mapping>
-Ben
On Friday 12 December 2003 09:10 am, Tim Funk wrote:
> Ideally, files you don't want to be seen should be placed in WEB-INF.
>
> An alternative is to use a security constraint on the directory that has
> all of the content. This can be done in apache too via the <Location>
> directive.
>
> Another way is to place all those JSP's with a different extension and then
> add the mapping to web.xml. Then add the security contraint for that file
> extension. (Or let apache disallow that file extension)
>
> Forwarding to the default servelt WILL provide a 404 because it is a 404.
> The default servlet gets any request not assigned to any other servlet. So
> if the default servlet find the resource, it returns a 404.
>
> -Tim
>
> Albert Moliner wrote:
> > Hello.
> >
> > I've searched the archives on this subject, but the nearest I've reached
> > has been some posts about not serving static content. It's a bit of a
> > surprise that no one has asked this before, so sorry if it is a recurrent
> > question.
> >
> > I want Tomcat (4) to execute JSPs as usual, but prevent it from running
> > the files that are under a certain directory for security reasons. These
> > files can be published by external people and are supposed to be static,
> > but if some mischievous publisher posts a JSP and it is executed then
> > there can be havoc.
> >
> > Apart from preventing the publishing of files with that extension, is
> > there a possible configuration that can be set up?
> >
> > I've tried mapping requests to that dir to the default servlet in
> > web.xml, but 404 errors are returned (why??), and some other wierd things
> > like using an intermediate servlet that forwards to the default servlet
> > through its named request dispatcher (the forward method does not seem to
> > do anything when using the dault servlet, while any other seems to work)
> > or setting up a separate context for that dir and forward requests to the
> > context, which maps *.jsp to the default context (I'll skip the details),
> > but I can't find the solution...
> >
> > What astonishes me more is that forwarding or mapping to the default
> > servlet does not work, but anyway I must be doing something wrong...
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
--
Ben Souther
F.W. Davison & Company, Inc.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
