You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Kim <ki...@aerodrive.com> on 2012/06/27 06:58:56 UTC
restrict per user public_html to serve static files only...
Hi, Dear all
I'm using tomcat 6.0.35 on linux CentOS 5.7 using sun jdk jdk1.5.0_11.
I need to enable public_html for my user but for security reason, I
would like restrict the functions to serve static files only.
Can anyone tell me how to do that ?
Actually I can build tomcat from src and don't mind modify the code
base for this specific feature.
Can anyone help me to point out which source file I should modify ...
Regards,
Kim
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
Posted by Kim <ki...@aerodrive.com>.
Hi, Warnier
2012/6/27 André Warnier <aw...@ice-sa.com>:
> Kim, when we ask to not "top-post", here is what we mean.
> This is a "correctly" formatted version of your last message :
>
> -- start
>
>
> Hi, Charles
> Really sorry as I'm new here.
>
>>
>> 2012/6/27 Caldarale, Charles R <Ch...@unisys.com>:
>>>>
>>>> From: Kim [mailto:kim@aerodrive.com]
>>>> Subject: Re: restrict per user public_html to serve static files only...
>>>
>>> Please do not top-post; it's rude and annoying.
>>>
>>>> each user can have his/her own web.xml and can do whatever URL
>>>> mapping in web.xml to serve his/her servlet
>>>
>>> ??? You first say users cannot have dynamic content, then state that
>>> users can have their own servlets. Both can't be true at the same time.
>>>
>
> I would like to restrict the per user web application to only
> serve static files only. But the current implementation of Tomcat
> would enable web application on a per user basic, i.e. they can deploy
> a web.xml in WEB-INF and execute servlet or JSP in tomcat.
>
> Regards,
> Kim
>
>
> -- end
>
> You see, it's easy to read, in a logical order, thus easy to know which
> answer relates to which question/remark. And it saves you retyping the
> question.
>
I got it now. Thanks for the help and really sorry for my mistake.
Regards,
Kim
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
Posted by André Warnier <aw...@ice-sa.com>.
Kim, when we ask to not "top-post", here is what we mean.
This is a "correctly" formatted version of your last message :
-- start
Hi, Charles
Really sorry as I'm new here.
>
> 2012/6/27 Caldarale, Charles R <Ch...@unisys.com>:
>>> From: Kim [mailto:kim@aerodrive.com]
>>> Subject: Re: restrict per user public_html to serve static files only...
>> Please do not top-post; it's rude and annoying.
>>
>>> each user can have his/her own web.xml and can do whatever URL
>>> mapping in web.xml to serve his/her servlet
>> ??? You first say users cannot have dynamic content, then state that users can have their own servlets. Both can't be true at the same time.
>>
I would like to restrict the per user web application to only
serve static files only. But the current implementation of Tomcat
would enable web application on a per user basic, i.e. they can deploy
a web.xml in WEB-INF and execute servlet or JSP in tomcat.
Regards,
Kim
-- end
You see, it's easy to read, in a logical order, thus easy to know which answer relates to
which question/remark. And it saves you retyping the question.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
Posted by Kim <ki...@aerodrive.com>.
Hi, Charles
Really sorry as I'm new here.
ok. here is the ans to your question
- You first say users cannot have dynamic content, then state that
users can have their own servlets. Both can't be true at the same
time.
ans : I would like to restrict the per user web application to only
serve static files only. But the current implementation of Tomcat
would enable web application on a per user basic, i.e. they can deploy
a web.xml in WEB-INF and execute servlet or JSP in tomcat.
Regards,
Kim
2012/6/27 Caldarale, Charles R <Ch...@unisys.com>:
>> From: Kim [mailto:kim@aerodrive.com]
>> Subject: Re: restrict per user public_html to serve static files only...
>
> Please do not top-post; it's rude and annoying.
>
>> each user can have his/her own web.xml and can do whatever URL
>> mapping in web.xml to serve his/her servlet
>
> ??? You first say users cannot have dynamic content, then state that users can have their own servlets. Both can't be true at the same time.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: restrict per user public_html to serve static files only...
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Kim [mailto:kim@aerodrive.com]
> Subject: Re: restrict per user public_html to serve static files only...
Please do not top-post; it's rude and annoying.
> each user can have his/her own web.xml and can do whatever URL
> mapping in web.xml to serve his/her servlet
??? You first say users cannot have dynamic content, then state that users can have their own servlets. Both can't be true at the same time.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
Posted by André Warnier <aw...@ice-sa.com>.
Kim wrote:
> Hi, Andre
>
> How so ? can you explain ?
> After all, Tomcat itself has to know if the resource being served is a
> servlet or jsp page or something else, in order to serve it properly.
> So how come you cannot do the same ?
> ans : each user can have his/her own web.xml and can do whatever URL
> mapping in web.xml to serve his/her serlvet ... That's why I can not
> know in advance unless I go into the user WEB-INF to do the parsing
Right, so you /are/ trying to implement something like the ~userdir of Apache httpd.
I tend to agree with Mikolaj then, you may be better off keeping Apache httpd for that.
Or else, this is the kind of situation for which the "security manager" of Tomcat
(actually of Java) may be the way to go. If individual users can upload stuff and have it
served by Tomcat, at least restrict whatever these things can actually do.
Have a look first at the file (catalina_home)/conf/catalina.policy, section "WEB
APPLICATION PERMISSIONS".
It seems to me that by not granting those permissions (other than to your own webapps),
you can greatly restrict what users can do.
As long as the users don't have access to (catalina_base)/conf of course.
It also means of course that you /must/ grant these permissions to your own webapps, which
tends to be a p.i.t.a. But then, you have an open system, so it belongs to you to close
the holes.
> ...
>
> Another question : where is this "public_html" directory (?) actually
> located, and what does/can it contain, other than static pages ?
> ans : I configure tomcat to enable per-user web as follows:
> <Listener className="org.apache.catalina.startup.UserConfig"
> directoryName="public_html"
> homeBase=/share/home"
> userClass="org.apache.catalina.startup.HomesUserDatabase"/>
>
> Regards,
> Kim
>
> 2012/6/27 André Warnier <aw...@ice-sa.com>:
>> Regarding the style of communications : on this list, it is preferred if
>> posters answer *below* the respective text to which they refer, not on top
>> of the message.
>> It makes it so much easier to follow the flow of the conversation (rather
>> than having to scroll up and down to find the appropriate paragraph).
>>
>>
>> Kim wrote:
>>> Hi,Andre
>>> Thanks for the advice. I do implement a Valve class to capture all the
>>> request before forwarding to actual web app. However, I can not know
>>> in advance the actual url for the servlet or JSP ..
>>> i.e. I can not know from the URI in the Valve class that the
>>> resources is static files or servlet ...
>>
>> How so ? can you explain ?
>> After all, Tomcat itself has to know if the resource being served is a
>> servlet or jsp page or something else, in order to serve it properly. So how
>> come you cannot do the same ?
>>
>> Another question : where is this "public_html" directory (?) actually
>> located, and what does/can it contain, other than static pages ?
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
Posted by Kim <ki...@aerodrive.com>.
Hi, Andre
How so ? can you explain ?
After all, Tomcat itself has to know if the resource being served is a
servlet or jsp page or something else, in order to serve it properly.
So how come you cannot do the same ?
ans : each user can have his/her own web.xml and can do whatever URL
mapping in web.xml to serve his/her serlvet ... That's why I can not
know in advance unless I go into the user WEB-INF to do the parsing
...
Another question : where is this "public_html" directory (?) actually
located, and what does/can it contain, other than static pages ?
ans : I configure tomcat to enable per-user web as follows:
<Listener className="org.apache.catalina.startup.UserConfig"
directoryName="public_html"
homeBase=/share/home"
userClass="org.apache.catalina.startup.HomesUserDatabase"/>
Regards,
Kim
2012/6/27 André Warnier <aw...@ice-sa.com>:
> Regarding the style of communications : on this list, it is preferred if
> posters answer *below* the respective text to which they refer, not on top
> of the message.
> It makes it so much easier to follow the flow of the conversation (rather
> than having to scroll up and down to find the appropriate paragraph).
>
>
> Kim wrote:
>>
>> Hi,Andre
>> Thanks for the advice. I do implement a Valve class to capture all the
>> request before forwarding to actual web app. However, I can not know
>> in advance the actual url for the servlet or JSP ..
>> i.e. I can not know from the URI in the Valve class that the
>> resources is static files or servlet ...
>
>
> How so ? can you explain ?
> After all, Tomcat itself has to know if the resource being served is a
> servlet or jsp page or something else, in order to serve it properly. So how
> come you cannot do the same ?
>
> Another question : where is this "public_html" directory (?) actually
> located, and what does/can it contain, other than static pages ?
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
Posted by André Warnier <aw...@ice-sa.com>.
Regarding the style of communications : on this list, it is preferred if posters answer
*below* the respective text to which they refer, not on top of the message.
It makes it so much easier to follow the flow of the conversation (rather than having to
scroll up and down to find the appropriate paragraph).
Kim wrote:
> Hi,Andre
> Thanks for the advice. I do implement a Valve class to capture all the
> request before forwarding to actual web app. However, I can not know
> in advance the actual url for the servlet or JSP ..
> i.e. I can not know from the URI in the Valve class that the
> resources is static files or servlet ...
How so ? can you explain ?
After all, Tomcat itself has to know if the resource being served is a servlet or jsp page
or something else, in order to serve it properly. So how come you cannot do the same ?
Another question : where is this "public_html" directory (?) actually located, and what
does/can it contain, other than static pages ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
Posted by Kim <ki...@aerodrive.com>.
Hi,Andre
Thanks for the advice. I do implement a Valve class to capture all the
request before forwarding to actual web app. However, I can not know
in advance the actual url for the servlet or JSP ..
i.e. I can not know from the URI in the Valve class that the
resources is static files or servlet ...
Regards,
Kim
2012/6/27 André Warnier <aw...@ice-sa.com>:
> Kim wrote:
>
>> Hi, Dear all
>> I'm using tomcat 6.0.35 on linux CentOS 5.7 using sun jdk jdk1.5.0_11.
>> I need to enable public_html for my user but for security reason, I
>> would like restrict the functions to serve static files only.
>> Can anyone tell me how to do that ?
>> Actually I can build tomcat from src and don't mind modify the code
>> base for this specific feature.
>> Can anyone help me to point out which source file I should modify ...
>> Regards,
>> Kim
>>
>
> Modifying the Tomcat code base for this seems to me a heavy, non-portable,
> non-maintainable, non-upgradable solution.
> You could this with a very simple (*) Servlet Filter. One may already exist
> which does that.
> I'd be surprised if you couldn't do that with, for example, the URLRewrite
> filter.
> http://www.tuckey.org/urlrewrite/
> Rewrite URLs that do not point to static pages, to some error page URL, et
> voila.
> (better : rewrite all /public_html/* URLs to the error page, /except/ if
> they end in \.(xxx|yyy|zzz))
>
>
> (*) and light and portable and maintainable and upgradable
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
Posted by André Warnier <aw...@ice-sa.com>.
Kim wrote:
> Hi, Dear all
> I'm using tomcat 6.0.35 on linux CentOS 5.7 using sun jdk jdk1.5.0_11.
> I need to enable public_html for my user but for security reason, I
> would like restrict the functions to serve static files only.
> Can anyone tell me how to do that ?
> Actually I can build tomcat from src and don't mind modify the code
> base for this specific feature.
> Can anyone help me to point out which source file I should modify ...
> Regards,
> Kim
>
Modifying the Tomcat code base for this seems to me a heavy, non-portable,
non-maintainable, non-upgradable solution.
You could this with a very simple (*) Servlet Filter. One may already exist which does that.
I'd be surprised if you couldn't do that with, for example, the URLRewrite filter.
http://www.tuckey.org/urlrewrite/
Rewrite URLs that do not point to static pages, to some error page URL, et voila.
(better : rewrite all /public_html/* URLs to the error page, /except/ if they end in
\.(xxx|yyy|zzz))
(*) and light and portable and maintainable and upgradable
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
Posted by Kim <ki...@aerodrive.com>.
Hi,Mikolaj
Actually I would like to get rid of apache httpd
Regards,
Kim
2012/6/27 Mikolaj Rydzewski <mi...@ceti.pl>:
> On 27.06.2012 06:58, Kim wrote:
>
>> I'm using tomcat 6.0.35 on linux CentOS 5.7 using sun jdk jdk1.5.0_11.
>> I need to enable public_html for my user but for security reason, I
>> would like restrict the functions to serve static files only.
>> Can anyone tell me how to do that ?
>
>
> IMO apache httpd suits better in this situation. There's built in support
> for public_html directories. Since all you need is to serve static files I
> see no point in using tomcat.
>
> --
> Mikolaj Rydzewski <mi...@ceti.pl>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
Posted by Mikolaj Rydzewski <mi...@ceti.pl>.
On 27.06.2012 06:58, Kim wrote:
> I'm using tomcat 6.0.35 on linux CentOS 5.7 using sun jdk
> jdk1.5.0_11.
> I need to enable public_html for my user but for security reason, I
> would like restrict the functions to serve static files only.
> Can anyone tell me how to do that ?
IMO apache httpd suits better in this situation. There's built in
support for public_html directories. Since all you need is to serve
static files I see no point in using tomcat.
--
Mikolaj Rydzewski <mi...@ceti.pl>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
Posted by Kim <ki...@aerodrive.com>.
Hi, Kolinko
Really thanks. Yes, I have hunt down to UserConfig in the source tree
on Tomcat and can modify UserConfig.java to skip those user context if
there exists a /WEB-INF/web.xml in their public_html directory.
And I can also insert a Valve filter to skip those URL with jsp extension ...
But I do think it's very clumsy solution and I'm looking for a more
elegant solution in that for a per-user web application the only
serlvet that can be invoked is the "DefaultServlet" that serve static
files only..
Regards,
Kim
> For reference, "User Web Applications" feature is implemented via a
> Listener, o.a.catalina.startup.UserConfig which enumerates users and
> deploys their web applications. Documentation is in
> config/listeners.html and config/host.html.
>
> Currently it creates web application for each user when Tomcat starts.
> Probably it could be improved to perform such deployment once in a
> while on Lifecycle.PERIODIC_EVENT.
>
>
> First,
> you need to prevent not only jsps, but servlets as well.
>
> I think I would create my own UserConfig listener so that it would
> skip directories
> that have WEB-INF and META-INF directories in them.
>
> Things to beware are WEB-INF/web.xml, WEB-INF/lib (because of web
> fragments feature of Servlet 3.0), WEB-INF/classes (unlikely, but just
> to be sure; maybe it could be used to reconfigure logging).
>
> There should not be META-INF/context.xml file. (Though as far as I
> remember when an application is deployed via UserConfig the
> context.xml file is ignored).
>
>
> Second,
> Processing of Jsp files can be enabled though two constructs
> a) explicit mapping of JspServlet, like it is done in conf/web.xml
> b) implicitly by using <jsp-property-group> with url pattern that
> patches the file.
>
> I think that removing JspServlet mappings from global conf/web.xml
> will disable JSP processing for you.
>
>
>
>
> 2012/6/27 André Warnier <aw...@ice-sa.com>:
>>
>> Have a look first at the file (catalina_home)/conf/catalina.policy, section
>> "WEB APPLICATION PERMISSIONS".
>> It seems to me that by not granting those permissions (other than to your
>> own webapps), you can greatly restrict what users can do.
>>
>
> Note that regardless of contents of conf/catalina.policy every web
> application is granted permission to load its own classes and write to
> its own temporary directory. The servlet spec requires it.
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
Posted by Konstantin Kolinko <kn...@gmail.com>.
2012/6/27 Kim <ki...@aerodrive.com>:
> Hi, Dear all
> I'm using tomcat 6.0.35 on linux CentOS 5.7 using sun jdk jdk1.5.0_11.
> I need to enable public_html for my user but for security reason, I
> would like restrict the functions to serve static files only.
> Can anyone tell me how to do that ?
> Actually I can build tomcat from src and don't mind modify the code
> base for this specific feature.
> Can anyone help me to point out which source file I should modify ...
For reference, "User Web Applications" feature is implemented via a
Listener, o.a.catalina.startup.UserConfig which enumerates users and
deploys their web applications. Documentation is in
config/listeners.html and config/host.html.
Currently it creates web application for each user when Tomcat starts.
Probably it could be improved to perform such deployment once in a
while on Lifecycle.PERIODIC_EVENT.
First,
you need to prevent not only jsps, but servlets as well.
I think I would create my own UserConfig listener so that it would
skip directories
that have WEB-INF and META-INF directories in them.
Things to beware are WEB-INF/web.xml, WEB-INF/lib (because of web
fragments feature of Servlet 3.0), WEB-INF/classes (unlikely, but just
to be sure; maybe it could be used to reconfigure logging).
There should not be META-INF/context.xml file. (Though as far as I
remember when an application is deployed via UserConfig the
context.xml file is ignored).
Second,
Processing of Jsp files can be enabled though two constructs
a) explicit mapping of JspServlet, like it is done in conf/web.xml
b) implicitly by using <jsp-property-group> with url pattern that
patches the file.
I think that removing JspServlet mappings from global conf/web.xml
will disable JSP processing for you.
2012/6/27 André Warnier <aw...@ice-sa.com>:
>
> Have a look first at the file (catalina_home)/conf/catalina.policy, section
> "WEB APPLICATION PERMISSIONS".
> It seems to me that by not granting those permissions (other than to your
> own webapps), you can greatly restrict what users can do.
>
Note that regardless of contents of conf/catalina.policy every web
application is granted permission to load its own classes and write to
its own temporary directory. The servlet spec requires it.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org