How to hide HTML files served up via a JSP?

[Dave Harms <jd...@clarionmag.com>]

Can anyone give me some advice on hiding HTML files so that they're 
only available via a mapped servlet? I currently have a servlet mapping 
that sends all .html requests to a central servlet which optionally 
does some authentication and then forwards the request to a JSP, which 
provides a wrapper for the originally requested document. 

The problem is that if the requested html actually has an .html 
extension, the servlet is called not only on the original request, but 
also when the JSP retrieves that document using jsp:include. It would 
be an endless loop if not for the IllegalStateException (Cannot forward 
as OutputStream or Writer has already been obtained). I can get around 
this by renaming the .html  files to, say, .htm, but then I have to use 
hard-to-guess names for any reasonable level of security. And a good 
guess would still bypass the controlling servlet. Ugly.

I'd like to know if:

a) there's a way to selectively disable servlet mapping on the fly, or 
to put it another way, can I selectively return from the mapped servlet 
in such a way as to allow processing to continue as if it had never 
been called

b) there's some other mechanism by which I can make some files 
accessible only locally, i.e. by an include, and not visible to anyone 
making a direct request on the server. 

c) is my only option to implement the DefaultServlet type of 
functionality in my controlling servlet.

I did consider implementing all this as a RequestInterceptor, but 
decided against it partly because of lack of information and partly 
over portability concerns. 

All suggestions appreciated. Thanks. 


Dave

Dave Harms
jdev@clarionmag.com

Re: How to hide HTML files served up via a JSP?

[kenneth topp <ca...@prodigy.net>]

On Tue, 10 Oct 2000, Dave Harms wrote:

> Kenneth,
> 
> > Yes, your .htm trick is good (read: it's what I did).  Don't allow
> > requests to come in for .htm (via apache).
> >
> Hmm. I'm standalone Tomcat right now, for simplicity's sake. Might have to 
> revisit that, also for load balancing. 

Odd seems to be a popular thing nowadays.

Does anyone know what tomcat's http conformance is?

> 
> > I think this would be cleaner and more portable then extending JspServlet,
> > (which was my first, short, attempt at this).  However, to remain as
> > server independent as possible, I choiced something similar to your
> > .html->.htm hack.
> >  
> > Good luck, and don't forget about DirectoryIndex (a subtle solution should
> > present itself to you, use it ;).
> >
> Ah, do you mean preventing directory listings? Yes, I wish there was another 
> way to switch these off, but it will do. 

Actually, the issue was apache knowing to forward to tomcat for virtual
files (ie: if index.html doesn't really exist).

Kenneth Topp

---
 to unsubscribe: tomcat-user-unsubscribe@jakarta.apache.org
 for more info: http://jakarta.apache.org/getinvolved/mail.html

Re: How to hide HTML files served up via a JSP?

[Dave Harms <jd...@clarionmag.com>]

Kenneth,

> Yes, your .htm trick is good (read: it's what I did).  Don't allow
> requests to come in for .htm (via apache).
>
Hmm. I'm standalone Tomcat right now, for simplicity's sake. Might have to 
revisit that, also for load balancing. 

> I think this would be cleaner and more portable then extending JspServlet,
> (which was my first, short, attempt at this).  However, to remain as
> server independent as possible, I choiced something similar to your
> .html->.htm hack.
>  
> Good luck, and don't forget about DirectoryIndex (a subtle solution should
> present itself to you, use it ;).
>
Ah, do you mean preventing directory listings? Yes, I wish there was another 
way to switch these off, but it will do. 

Thanks!

Dave

Dave Harms
jdev@clarionmag.com

Re: How to hide HTML files served up via a JSP?

[kenneth topp <ca...@prodigy.net>]

On Tue, 10 Oct 2000, Dave Harms wrote:

> Can anyone give me some advice on hiding HTML files so that they're 
> only available via a mapped servlet? I currently have a servlet mapping 
> that sends all .html requests to a central servlet which optionally 
> does some authentication and then forwards the request to a JSP, which 
> provides a wrapper for the originally requested document. 
> 
> The problem is that if the requested html actually has an .html 
> extension, the servlet is called not only on the original request, but 
> also when the JSP retrieves that document using jsp:include. It would 
> be an endless loop if not for the IllegalStateException (Cannot forward 
> as OutputStream or Writer has already been obtained). I can get around 
> this by renaming the .html  files to, say, .htm, but then I have to use 
> hard-to-guess names for any reasonable level of security. And a good 
> guess would still bypass the controlling servlet. Ugly.
> 
> I'd like to know if:
> 
> a) there's a way to selectively disable servlet mapping on the fly, or 
> to put it another way, can I selectively return from the mapped servlet 
> in such a way as to allow processing to continue as if it had never 
> been called

not that I know of.

> 
> b) there's some other mechanism by which I can make some files 
> accessible only locally, i.e. by an include, and not visible to anyone 
> making a direct request on the server. 
 
Yes, your .htm trick is good (read: it's what I did).  Don't allow
requests to come in for .htm (via apache).  No requests for .htm will
arrive at tomcat, so no problem with security (I didn't have such a
requirment).

> c) is my only option to implement the DefaultServlet type of 
> functionality in my controlling servlet.

No, an option is to extend JspServlet, but at least in tomcat 3.2 I find
JspServlet unfriendly to extention, and a this technique to tied to 3.2
which apparently is D.O.A. (from everything I can tell).

> 
> I did consider implementing all this as a RequestInterceptor, but 
> decided against it partly because of lack of information and partly 
> over portability concerns. 

I think this would be cleaner and more portable then extending JspServlet,
(which was my first, short, attempt at this).  However, to remain as
server independent as possible, I choiced something similar to your
.html->.htm hack.

Good luck, and don't forget about DirectoryIndex (a subtle solution should
present itself to you, use it ;).

Kenneth topp

> 
> All suggestions appreciated. Thanks. 
> 
> 
> Dave
> 
> Dave Harms
> jdev@clarionmag.com
>