On Mon, Aug 24, 2020 at 12:34 PM Olaf Kock <tom...@olafkock.de> wrote:
> > On 24.08.20 16:41, Aryeh Friedman wrote: > > On Mon, Aug 24, 2020 at 4:27 AM Mark Thomas <ma...@apache.org> wrote: > > > >> On 23/08/2020 22:05, Aryeh Friedman wrote: > >>> In order to allow my developers to quickly access any temporarily > >> produced > >>> html files created/stored outside of webapps (such as those created by > >> the > >>> jacoco test coverage tool) I want to allow read only access to the root > >>> directory of the development server (firewalled and all access outside > of > >>> the LAN is disabled) via tomcat. I can get it to do any directory > >>> *EXCEPT* / as the docBase but a docBase of "/" returns an empty dir > >> listing > >> > [snip] > >> I'd do this with a ROOT.xml file in > >> $CATALINA_BASE/conf/Catalina/localhost but the above should work. > [snip] > > > I'd recommend to *not* go this route. Rather google for "java web file > manager" or variations thereof: You'll find several open source projects > that implement a file browser in a deployable web application. You can > apply password protection to it, update/deploy/configure the application > (e.g. to prevent /etc/passwd to be read) and so on. > 1. The LAN is completely firewalled and NAT'ed off (there is no easy way for an outsider to get to it and if they did find a way we would have bigger problems then someone who got to see the contents of some VM that has nothing but source code and the compiled results there of in it) 2. There are two users: me and my co-developer/business partner/spouse so I have 100% trust in them > > I'm explicitly not linking any of those applications here, as I can't > recommend any from my own experience. I remember to have worked with one > ages ago that was implemented in a single JSP (great to plant a > debugging backdoor on production servers. But /cough/ who would ever do > that?) > My co-developer does not use Java, not have a JRE installed (nor do they want one installed due the security issues of desktop java apps), to do their editing they write their java code in notepad and upload it to the development server (this is specifically meant so the can easily look at the *RENDERED* html output of jacoco's coverage report, jacoco does not output anything but raw html files in the current working dir). Since our version control software, aegis, uses discrete change sets with development dir is always in the users home dir and jacoco produces its results relative to the dir it was called in (the dev dir) it is not easy make this a web app (even with symlinks some scripting would be needed and it would need to be on the smart end.... besides starting and stopping tomcat takes about 20 seconds (even if scripted) and thus would really put a kink in the write some code->compile->test->check coverage->write some more code->... cycle which usually is a few mins at tops) Tl; DR -- We are well aware of the risks in *GENERAL* this just don't apply in our case though -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org
