You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Dave Harms <jd...@clarionmag.com> on 2000/10/10 21:57:31 UTC
How to hide HTML files served up via a JSP?
Can anyone give me some advice on hiding HTML files so that they're
only available via a mapped servlet? I currently have a servlet mapping
that sends all .html requests to a central servlet which optionally
does some authentication and then forwards the request to a JSP, which
provides a wrapper for the originally requested document.
The problem is that if the requested html actually has an .html
extension, the servlet is called not only on the original request, but
also when the JSP retrieves that document using jsp:include. It would
be an endless loop if not for the IllegalStateException (Cannot forward
as OutputStream or Writer has already been obtained). I can get around
this by renaming the .html files to, say, .htm, but then I have to use
hard-to-guess names for any reasonable level of security. And a good
guess would still bypass the controlling servlet. Ugly.
I'd like to know if:
a) there's a way to selectively disable servlet mapping on the fly, or
to put it another way, can I selectively return from the mapped servlet
in such a way as to allow processing to continue as if it had never
been called
b) there's some other mechanism by which I can make some files
accessible only locally, i.e. by an include, and not visible to anyone
making a direct request on the server.
c) is my only option to implement the DefaultServlet type of
functionality in my controlling servlet.
I did consider implementing all this as a RequestInterceptor, but
decided against it partly because of lack of information and partly
over portability concerns.
All suggestions appreciated. Thanks.
Dave
Dave Harms
jdev@clarionmag.com
Re: How to hide HTML files served up via a JSP?
Posted by kenneth topp <ca...@prodigy.net>.
On Tue, 10 Oct 2000, Dave Harms wrote:
> Kenneth,
>
> > Yes, your .htm trick is good (read: it's what I did). Don't allow
> > requests to come in for .htm (via apache).
> >
> Hmm. I'm standalone Tomcat right now, for simplicity's sake. Might have to
> revisit that, also for load balancing.
Odd seems to be a popular thing nowadays.
Does anyone know what tomcat's http conformance is?
>
> > I think this would be cleaner and more portable then extending JspServlet,
> > (which was my first, short, attempt at this). However, to remain as
> > server independent as possible, I choiced something similar to your
> > .html->.htm hack.
> >
> > Good luck, and don't forget about DirectoryIndex (a subtle solution should
> > present itself to you, use it ;).
> >
> Ah, do you mean preventing directory listings? Yes, I wish there was another
> way to switch these off, but it will do.
Actually, the issue was apache knowing to forward to tomcat for virtual
files (ie: if index.html doesn't really exist).
Kenneth Topp
---
to unsubscribe: tomcat-user-unsubscribe@jakarta.apache.org
for more info: http://jakarta.apache.org/getinvolved/mail.html
Re: How to hide HTML files served up via a JSP?
Posted by Dave Harms <jd...@clarionmag.com>.
Kenneth,
> Yes, your .htm trick is good (read: it's what I did). Don't allow
> requests to come in for .htm (via apache).
>
Hmm. I'm standalone Tomcat right now, for simplicity's sake. Might have to
revisit that, also for load balancing.
> I think this would be cleaner and more portable then extending JspServlet,
> (which was my first, short, attempt at this). However, to remain as
> server independent as possible, I choiced something similar to your
> .html->.htm hack.
>
> Good luck, and don't forget about DirectoryIndex (a subtle solution should
> present itself to you, use it ;).
>
Ah, do you mean preventing directory listings? Yes, I wish there was another
way to switch these off, but it will do.
Thanks!
Dave
Dave Harms
jdev@clarionmag.com
Re: How to hide HTML files served up via a JSP?
Posted by kenneth topp <ca...@prodigy.net>.
On Tue, 10 Oct 2000, Dave Harms wrote:
> Can anyone give me some advice on hiding HTML files so that they're
> only available via a mapped servlet? I currently have a servlet mapping
> that sends all .html requests to a central servlet which optionally
> does some authentication and then forwards the request to a JSP, which
> provides a wrapper for the originally requested document.
>
> The problem is that if the requested html actually has an .html
> extension, the servlet is called not only on the original request, but
> also when the JSP retrieves that document using jsp:include. It would
> be an endless loop if not for the IllegalStateException (Cannot forward
> as OutputStream or Writer has already been obtained). I can get around
> this by renaming the .html files to, say, .htm, but then I have to use
> hard-to-guess names for any reasonable level of security. And a good
> guess would still bypass the controlling servlet. Ugly.
>
> I'd like to know if:
>
> a) there's a way to selectively disable servlet mapping on the fly, or
> to put it another way, can I selectively return from the mapped servlet
> in such a way as to allow processing to continue as if it had never
> been called
not that I know of.
>
> b) there's some other mechanism by which I can make some files
> accessible only locally, i.e. by an include, and not visible to anyone
> making a direct request on the server.
Yes, your .htm trick is good (read: it's what I did). Don't allow
requests to come in for .htm (via apache). No requests for .htm will
arrive at tomcat, so no problem with security (I didn't have such a
requirment).
> c) is my only option to implement the DefaultServlet type of
> functionality in my controlling servlet.
No, an option is to extend JspServlet, but at least in tomcat 3.2 I find
JspServlet unfriendly to extention, and a this technique to tied to 3.2
which apparently is D.O.A. (from everything I can tell).
>
> I did consider implementing all this as a RequestInterceptor, but
> decided against it partly because of lack of information and partly
> over portability concerns.
I think this would be cleaner and more portable then extending JspServlet,
(which was my first, short, attempt at this). However, to remain as
server independent as possible, I choiced something similar to your
.html->.htm hack.
Good luck, and don't forget about DirectoryIndex (a subtle solution should
present itself to you, use it ;).
Kenneth topp
>
> All suggestions appreciated. Thanks.
>
>
> Dave
>
> Dave Harms
> jdev@clarionmag.com
>