You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by fa...@geocom.com.uy on 2011/06/08 16:17:03 UTC
Static resource mapping in web.xml
Dear all,
I'm faceing the following problem in tomcat (probably just
configuration).
I have a WEBAPP which uses the "invoker" servlet (i know how
bad it is, but for now it gets the job done).
The static content is under "/images/" path.
So a tipical URL was like
"http://host:8080/webapp/servlet/home".
To avoid the "servlet" part of the URL I layed hands in
"web.xml".
This is the result:
<web-app>
<servlet-mapping>
<servlet-name>invoker</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>/images/*</url-pattern>
</servlet-mapping>
</web-app>
The problem is that static content is not shown under
"images", it is shown under "images/images".
For example:
http://host:8080/webapp/images/help.png
ERROR
http://host:8080/webapp/images/images/help.png OK
In order to keep things as tidy as possible I would like
static content to be served under "images".
Using ROOT is not an option because this tomcat is shared
among several WEBAPPS.
Is there anything wrong with my configuration or am I
missing something?
This post addresses the same issue:
http://stackoverflow.com/questions/234210/can-anyone-explain-servlet-mapping
Thanks in advance and please excuse my bad English.
Best regards,
Federico.
OS CentOS 5
Tomcat 6.0.29
JVM 1.6.0_20-b02
Re: Static resource mapping in web.xml
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Federico,
On 6/8/2011 10:17 AM, falvarez@geocom.com.uy wrote:
> <servlet-mapping>
> <servlet-name>invoker</servlet-name>
> <url-pattern>/*</url-pattern>
> </servlet-mapping>
Why not map the invoker to "/servlet/*"?
Seems like that would fix your problem.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk3w9eEACgkQ9CaO5/Lv0PCgsgCdEDJd5bjOYnUcAlqIe0U9BsdT
mQMAn15kCAUKiir4Zlc8YV4VhOExn+nK
=+hEG
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Static resource mapping in web.xml
Posted by Pid <pi...@pidster.com>.
On 08/06/2011 17:48, falvarez@geocom.com.uy wrote:
> Currently we do not have this kind of attacks because the app runs in an
> intranet. But I know that in this closed scenario we should beware of the
> users.
But if your network is penetrated, your server will be vulnerable and
therefore a resource which can be compromised & further used to launch
attacks.
p
RE: Static resource mapping in web.xml
Posted by fa...@geocom.com.uy.
Thanks a lot André for taking the time in explaining.
Currently we do not have this kind of attacks because the app runs in an
intranet. But I know that in this closed scenario we should beware of the
users.
Hopefully, someday, we will be able to properly map this application in
web.xml and leave this problems behind (and get new ones ;)).
Thanks again.
Best regards,
Federico.
-----Mensaje original-----
De: André Warnier [mailto:aw@ice-sa.com]
Enviado el: miércoles, 08 de junio de 2011 13:02
Para: Tomcat Users List
Asunto: Re: Static resource mapping in web.xml
falvarez@geocom.com.uy wrote:
> I know we are going a little off the original topic, but for me this is
very
> interesting.
>
> I think I understand your point:
>
> Any library in /webapp/lib/ that has access to executing linux
> commands (as you point) could be executed as well from any browser.
>
No, unless it is specifically mapped to a URL in web.xml.
> If invoker is not enabled, unless this class is mapped there is no
> possible harm.
>
> Your example made clear the damage potential in using invoker.
>
> But: unless there are JARs with this capabilities in Tomcats distribution
or
> standard packages (like xstream, axis, itext, ...) this is a very
improbable
> situation, right?
All of those are open-source. So anyone can examine the code to determine if
there is some
function in there that can be misused.
Because whoever writes this URL should precisely know the
> architecture of the application in order to use a non-standard library or
> servlet.
>
Yes, but they can find out, using the same invoker servlet. They just have
to try any URL
they can think of, until it works..
Have you ever looked at your Internet webserver logs, and seen lines like
these ?
[Tue May 31 04:02:30 2011] [error] [client 91.121.243.113] File does not
exist:
/var/www/default/docs/w00tw00t.at.blackhats.romanian.anti-sec:)
[Tue May 31 04:02:31 2011] [error] [client 91.121.243.113] File does not
exist:
/var/www/default/docs/phpMyAdmin
[Tue May 31 04:02:31 2011] [error] [client 91.121.243.113] File does not
exist:
/var/www/default/docs/phpmyadmin
[Tue May 31 04:02:31 2011] [error] [client 91.121.243.113] File does not
exist:
/var/www/default/docs/pma
[Tue May 31 04:02:31 2011] [error] [client 91.121.243.113] File does not
exist:
/var/www/default/docs/myadmin
[Tue May 31 04:02:31 2011] [error] [client 91.121.243.113] File does not
exist:
/var/www/default/docs/MyAdmin
Now, where do you think these come from ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Static resource mapping in web.xml
Posted by André Warnier <aw...@ice-sa.com>.
falvarez@geocom.com.uy wrote:
> I know we are going a little off the original topic, but for me this is very
> interesting.
>
> I think I understand your point:
>
> Any library in /webapp/lib/ that has access to executing linux
> commands (as you point) could be executed as well from any browser.
>
No, unless it is specifically mapped to a URL in web.xml.
> If invoker is not enabled, unless this class is mapped there is no
> possible harm.
>
> Your example made clear the damage potential in using invoker.
>
> But: unless there are JARs with this capabilities in Tomcats distribution or
> standard packages (like xstream, axis, itext, ...) this is a very improbable
> situation, right?
All of those are open-source. So anyone can examine the code to determine if there is some
function in there that can be misused.
Because whoever writes this URL should precisely know the
> architecture of the application in order to use a non-standard library or
> servlet.
>
Yes, but they can find out, using the same invoker servlet. They just have to try any URL
they can think of, until it works..
Have you ever looked at your Internet webserver logs, and seen lines like these ?
[Tue May 31 04:02:30 2011] [error] [client 91.121.243.113] File does not exist:
/var/www/default/docs/w00tw00t.at.blackhats.romanian.anti-sec:)
[Tue May 31 04:02:31 2011] [error] [client 91.121.243.113] File does not exist:
/var/www/default/docs/phpMyAdmin
[Tue May 31 04:02:31 2011] [error] [client 91.121.243.113] File does not exist:
/var/www/default/docs/phpmyadmin
[Tue May 31 04:02:31 2011] [error] [client 91.121.243.113] File does not exist:
/var/www/default/docs/pma
[Tue May 31 04:02:31 2011] [error] [client 91.121.243.113] File does not exist:
/var/www/default/docs/myadmin
[Tue May 31 04:02:31 2011] [error] [client 91.121.243.113] File does not exist:
/var/www/default/docs/MyAdmin
Now, where do you think these come from ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Static resource mapping in web.xml
Posted by fa...@geocom.com.uy.
I know we are going a little off the original topic, but for me this is very
interesting.
I think I understand your point:
Any library in /webapp/lib/ that has access to executing linux
commands (as you point) could be executed as well from any browser.
If invoker is not enabled, unless this class is mapped there is no
possible harm.
Your example made clear the damage potential in using invoker.
But: unless there are JARs with this capabilities in Tomcats distribution or
standard packages (like xstream, axis, itext, ...) this is a very improbable
situation, right? Because whoever writes this URL should precisely know the
architecture of the application in order to use a non-standard library or
servlet.
-----Mensaje original-----
De: André Warnier [mailto:aw@ice-sa.com]
Enviado el: miércoles, 08 de junio de 2011 12:21
Para: Tomcat Users List
Asunto: Re: Static resource mapping in web.xml
falvarez@geocom.com.uy wrote:
...
>
> Invoker: I know it is bad (even more than the overlord), probably don't
know
> how bad or the impact it has in usage, but for now it works.
>
> I've read some about it, but never could really understand the problems it
> brings.
>
http://wiki.apache.org/tomcat/FAQ/Miscellaneous#Q3
Basically, unless you are very very careful, it allows anyone, through a
carefully crafted
request URL, to invoke this nasty class in this nasty jar, which does a "rm
-r /*" or a
"cat /etc/my/secret/file" or whatever else is really nasty.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Static resource mapping in web.xml
Posted by André Warnier <aw...@ice-sa.com>.
falvarez@geocom.com.uy wrote:
...
>
> Invoker: I know it is bad (even more than the overlord), probably don't know
> how bad or the impact it has in usage, but for now it works.
>
> I've read some about it, but never could really understand the problems it
> brings.
>
http://wiki.apache.org/tomcat/FAQ/Miscellaneous#Q3
Basically, unless you are very very careful, it allows anyone, through a carefully crafted
request URL, to invoke this nasty class in this nasty jar, which does a "rm -r /*" or a
"cat /etc/my/secret/file" or whatever else is really nasty.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Static resource mapping in web.xml
Posted by fa...@geocom.com.uy.
Thanks Mark.
I'll try to upgrade to the latest then.
Invoker: I know it is bad (even more than the overlord), probably don't know
how bad or the impact it has in usage, but for now it works.
I've read some about it, but never could really understand the problems it
brings.
In our current situation, mapping the servlets is a bit messy, probably
because our developing process is messy...
Thanks again Mark.
Regards,
Federico.
-----Mensaje original-----
De: Mark Thomas [mailto:markt@apache.org]
Enviado el: miércoles, 08 de junio de 2011 11:35
Para: Tomcat Users List
Asunto: Re: Static resource mapping in web.xml
On 08/06/2011 15:17, falvarez@geocom.com.uy wrote:
> I have a WEBAPP which uses the "invoker" servlet (i know
how
> bad it is, but for now it gets the job done).
That is such a monumentally bad idea I'm not at all sure you really do
understand just how bad it is.
> The problem is that static content is not shown under
> "images", it is shown under "images/images".
That is because the default servlet was designed and documented only for
mapping to /*
Since so many people mis-use it (which creates security issues) support
for mapping to something other than /* was added in 6.0.30 onwards.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Static resource mapping in web.xml
Posted by Mark Thomas <ma...@apache.org>.
On 08/06/2011 15:17, falvarez@geocom.com.uy wrote:
> I have a WEBAPP which uses the "invoker" servlet (i know how
> bad it is, but for now it gets the job done).
That is such a monumentally bad idea I'm not at all sure you really do
understand just how bad it is.
> The problem is that static content is not shown under
> "images", it is shown under "images/images".
That is because the default servlet was designed and documented only for
mapping to /*
Since so many people mis-use it (which creates security issues) support
for mapping to something other than /* was added in 6.0.30 onwards.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: RE: Static resource mapping in web.xml
Posted by "Terence M. Bandoian" <te...@tmbsw.com>.
On 1:59 PM, falvarez@geocom.com.uy wrote:
> Yes, we would probably use some tools to build the web.xml.
>
> Currently our applications has something between 10000 to 15000 servlets.
>
> Mapping to "/servlet/*" how it works now, a normal URL is "http://host:8080/webapp/servlet/myservlet". But then I tried to remove the "/servlet/" from the URL, that's when all this trouble began.
>
>> Don't map to "/*" of course: instead map to a specific URL.
> My intention is to map "myservlet" to "/myservlet", for example. This removes any aditional string in the URL. So the UR becomes: "http://host:8080/webapp/myservlet".
>
> The application works fine with this new invoker mapping, the only "problem" is that resources are served under "/images/images/*". This impacts in many servlets that have hard-coded access to images, javascripts or css files (I know how bad this is), also others have relative links that now don't work. Most do have a parameter pointing to the right resource folder and work fine, but finding the ones causing trouble is not easy.
>
> The "excuse" or "reason" I've been getting when this matter is addressed is the ease of deployment the invoker provides.
>
> I will be building a testing environment a few days from now, using a proper web.xml and no invoker. Guess my job now will be to demonstrate the advantages of this (the URL improvement will be the easiest for them to see). Of course for this matter to succeed the creation of a fully automated web.xml building script will be required.
>
> Thanks for the help.
>
> Best regards,
> Federico.
>
> -----Mensaje original-----
> De: Christopher Schultz [mailto:chris@christopherschultz.net]
> Enviado el: jueves, 09 de junio de 2011 13:43
> Para: Tomcat Users List
> Asunto: Re: Static resource mapping in web.xml
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Federico,
>
> On 6/8/2011 2:04 PM, falvarez@geocom.com.uy wrote:
>> If this is the case I could make it weight-in in the matter of building a
>> well formed web.xml.
>>
>> Although it could take some time.
> How many servlets do you have?
>
>> Mapping each servlet to an "/*" url-pattern will avoid us from using invoker
>> and at the same time get rid of "/servlet" in the URL and keep images under
>> "/images".
> Don't map to "/*" of course: instead map to a specific URL.
>
> You can use some simple tools to generate the mappings. Something like this:
>
> $ find -name "*Servlet.java" | sed -e 's/\(.*\)\.java/<servlet>\n
> <servlet-name>\1<\/servlet-name>\n
> <servlet-class>\1<\/servlet-class>\n<\/servlet>\n\n<servlet-mapping>\n
> <servlet-name>\1<\/servlet-name>\n
> <url-pattern>\1<\/url-pattern>\n<\/servlet-mapping>/'
>
> Obviously, you'll have top massage some of that: the servlet-class needs
> to be dot-separated the the above command will give you slash-separated
> names.
>
> You'll also have to separate the<servlet> and<servlet-mapping>
> sections ... or just run two separate commands: one to generate the
> <servlet> elements and the other to generate the<servlet-mapping> elements.
>
> Removing the invoker servlet and just explicitly mapping everything is
> only a /little/ tedious but much safer. Take the time to do this now.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk3w+CIACgkQ9CaO5/Lv0PAi+gCfYfLAaOJQIM0ziCbGOLN4eCno
> 4HYAoLLVVZQogmdMk1SzdXTpLEi9zbPm
> =/1
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
Hi, Federico-
If I understand this correctly, and you're using ant, you should be able
to strip '/servlet' from the servlet mappings by changing the uriroot
attribute in the jasper2 task.
-Terence Bandoian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Static resource mapping in web.xml
Posted by fa...@geocom.com.uy.
Yes, we would probably use some tools to build the web.xml.
Currently our applications has something between 10000 to 15000 servlets.
Mapping to "/servlet/*" how it works now, a normal URL is "http://host:8080/webapp/servlet/myservlet". But then I tried to remove the "/servlet/" from the URL, that's when all this trouble began.
> Don't map to "/*" of course: instead map to a specific URL.
My intention is to map "myservlet" to "/myservlet", for example. This removes any aditional string in the URL. So the UR becomes: "http://host:8080/webapp/myservlet".
The application works fine with this new invoker mapping, the only "problem" is that resources are served under "/images/images/*". This impacts in many servlets that have hard-coded access to images, javascripts or css files (I know how bad this is), also others have relative links that now don't work. Most do have a parameter pointing to the right resource folder and work fine, but finding the ones causing trouble is not easy.
The "excuse" or "reason" I've been getting when this matter is addressed is the ease of deployment the invoker provides.
I will be building a testing environment a few days from now, using a proper web.xml and no invoker. Guess my job now will be to demonstrate the advantages of this (the URL improvement will be the easiest for them to see). Of course for this matter to succeed the creation of a fully automated web.xml building script will be required.
Thanks for the help.
Best regards,
Federico.
-----Mensaje original-----
De: Christopher Schultz [mailto:chris@christopherschultz.net]
Enviado el: jueves, 09 de junio de 2011 13:43
Para: Tomcat Users List
Asunto: Re: Static resource mapping in web.xml
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Federico,
On 6/8/2011 2:04 PM, falvarez@geocom.com.uy wrote:
> If this is the case I could make it weight-in in the matter of building a
> well formed web.xml.
>
> Although it could take some time.
How many servlets do you have?
> Mapping each servlet to an "/*" url-pattern will avoid us from using invoker
> and at the same time get rid of "/servlet" in the URL and keep images under
> "/images".
Don't map to "/*" of course: instead map to a specific URL.
You can use some simple tools to generate the mappings. Something like this:
$ find -name "*Servlet.java" | sed -e 's/\(.*\)\.java/<servlet>\n
<servlet-name>\1<\/servlet-name>\n
<servlet-class>\1<\/servlet-class>\n<\/servlet>\n\n<servlet-mapping>\n
<servlet-name>\1<\/servlet-name>\n
<url-pattern>\1<\/url-pattern>\n<\/servlet-mapping>/'
Obviously, you'll have top massage some of that: the servlet-class needs
to be dot-separated the the above command will give you slash-separated
names.
You'll also have to separate the <servlet> and <servlet-mapping>
sections ... or just run two separate commands: one to generate the
<servlet> elements and the other to generate the <servlet-mapping> elements.
Removing the invoker servlet and just explicitly mapping everything is
only a /little/ tedious but much safer. Take the time to do this now.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk3w+CIACgkQ9CaO5/Lv0PAi+gCfYfLAaOJQIM0ziCbGOLN4eCno
4HYAoLLVVZQogmdMk1SzdXTpLEi9zbPm
=+1/1
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Static resource mapping in web.xml
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Federico,
On 6/8/2011 2:04 PM, falvarez@geocom.com.uy wrote:
> If this is the case I could make it weight-in in the matter of building a
> well formed web.xml.
>
> Although it could take some time.
How many servlets do you have?
> Mapping each servlet to an "/*" url-pattern will avoid us from using invoker
> and at the same time get rid of "/servlet" in the URL and keep images under
> "/images".
Don't map to "/*" of course: instead map to a specific URL.
You can use some simple tools to generate the mappings. Something like this:
$ find -name "*Servlet.java" | sed -e 's/\(.*\)\.java/<servlet>\n
<servlet-name>\1<\/servlet-name>\n
<servlet-class>\1<\/servlet-class>\n<\/servlet>\n\n<servlet-mapping>\n
<servlet-name>\1<\/servlet-name>\n
<url-pattern>\1<\/url-pattern>\n<\/servlet-mapping>/'
Obviously, you'll have top massage some of that: the servlet-class needs
to be dot-separated the the above command will give you slash-separated
names.
You'll also have to separate the <servlet> and <servlet-mapping>
sections ... or just run two separate commands: one to generate the
<servlet> elements and the other to generate the <servlet-mapping> elements.
Removing the invoker servlet and just explicitly mapping everything is
only a /little/ tedious but much safer. Take the time to do this now.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk3w+CIACgkQ9CaO5/Lv0PAi+gCfYfLAaOJQIM0ziCbGOLN4eCno
4HYAoLLVVZQogmdMk1SzdXTpLEi9zbPm
=+1/1
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Static resource mapping in web.xml
Posted by fa...@geocom.com.uy.
Thanks Tim.
If this is the case I could make it weight-in in the matter of building a
well formed web.xml.
Although it could take some time.
Mapping each servlet to an "/*" url-pattern will avoid us from using invoker
and at the same time get rid of "/servlet" in the URL and keep images under
"/images".
Thanks a lot Tim and thanks to all.
Regards,
Federico.
-----Mensaje original-----
De: Tim Funk [mailto:funkman@apache.org]
Enviado el: miércoles, 08 de junio de 2011 14:53
Para: Tomcat Users List
Asunto: Re: Static resource mapping in web.xml
yes - that would be a problem. The invoker doesn't know how to serve static
resources.
-Tim
On Wed, Jun 8, 2011 at 1:44 PM, <fa...@geocom.com.uy> wrote:
> I agree with you.
>
> The static resources where never a problem to me, but since I messed with
> the web.xml they started to behave oddly.
>
> Maybe this line is causing trouble:
> <servlet-mapping>
> <servlet-name>invoker</servlet-name>
> <url-pattern>/*</url-pattern>
> </servlet-mapping>
>
> It used to be:
> <servlet-mapping>
> <servlet-name>invoker</servlet-name>
> <url-pattern>/servlet/*</url-pattern>
> </servlet-mapping>
>
> What do you think? Can this be interfering with the requests to resources?
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Static resource mapping in web.xml
Posted by Tim Funk <fu...@apache.org>.
yes - that would be a problem. The invoker doesn't know how to serve static
resources.
-Tim
On Wed, Jun 8, 2011 at 1:44 PM, <fa...@geocom.com.uy> wrote:
> I agree with you.
>
> The static resources where never a problem to me, but since I messed with
> the web.xml they started to behave oddly.
>
> Maybe this line is causing trouble:
> <servlet-mapping>
> <servlet-name>invoker</servlet-name>
> <url-pattern>/*</url-pattern>
> </servlet-mapping>
>
> It used to be:
> <servlet-mapping>
> <servlet-name>invoker</servlet-name>
> <url-pattern>/servlet/*</url-pattern>
> </servlet-mapping>
>
> What do you think? Can this be interfering with the requests to resources?
>
>
RE: Static resource mapping in web.xml
Posted by fa...@geocom.com.uy.
I agree with you.
The static resources where never a problem to me, but since I messed with
the web.xml they started to behave oddly.
Maybe this line is causing trouble:
<servlet-mapping>
<servlet-name>invoker</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
It used to be:
<servlet-mapping>
<servlet-name>invoker</servlet-name>
<url-pattern>/servlet/*</url-pattern>
</servlet-mapping>
What do you think? Can this be interfering with the requests to resources?
-----Mensaje original-----
De: Tim Funk [mailto:funkman@apache.org]
Enviado el: miércoles, 08 de junio de 2011 14:09
Para: Tomcat Users List
Asunto: Re: Static resource mapping in web.xml
If your images are in the correct directory then tomcat will serve them for
you with its DefaultServlet. There should be nothing to do.
Then to serve resources via the invoker - this is where the filter is handy.
You declare the invoker servlet - but you do not map it. The servlet api
allows you to invoke an unmapped servlet by requesting it by name from the
ServletContext. So the filter is doing the access control mapping to
determine if the invoker should be invoked.
-Tim
On Wed, Jun 8, 2011 at 12:34 PM, <fa...@geocom.com.uy> wrote:
> I thought the filter would allow me to serve the static resources under
> "/images/".
>
> I understand if it is in order to make invoker more secure.
>
> But what I'm actually trying to achieve is the proper serving of
resources.
>
> I don't know exactly why, but mapping the default servlet to "/*" is not
> working (probably my fault). What Mark pointed in his first mail is that
> this kind of mapping was added in release 6.0.30. I'll try this as soon as
> possible.
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Static resource mapping in web.xml
Posted by Tim Funk <fu...@apache.org>.
If your images are in the correct directory then tomcat will serve them for
you with its DefaultServlet. There should be nothing to do.
Then to serve resources via the invoker - this is where the filter is handy.
You declare the invoker servlet - but you do not map it. The servlet api
allows you to invoke an unmapped servlet by requesting it by name from the
ServletContext. So the filter is doing the access control mapping to
determine if the invoker should be invoked.
-Tim
On Wed, Jun 8, 2011 at 12:34 PM, <fa...@geocom.com.uy> wrote:
> I thought the filter would allow me to serve the static resources under
> "/images/".
>
> I understand if it is in order to make invoker more secure.
>
> But what I'm actually trying to achieve is the proper serving of resources.
>
> I don't know exactly why, but mapping the default servlet to "/*" is not
> working (probably my fault). What Mark pointed in his first mail is that
> this kind of mapping was added in release 6.0.30. I'll try this as soon as
> possible.
>
>
RE: Static resource mapping in web.xml
Posted by fa...@geocom.com.uy.
I thought the filter would allow me to serve the static resources under
"/images/".
I understand if it is in order to make invoker more secure.
But what I'm actually trying to achieve is the proper serving of resources.
I don't know exactly why, but mapping the default servlet to "/*" is not
working (probably my fault). What Mark pointed in his first mail is that
this kind of mapping was added in release 6.0.30. I'll try this as soon as
possible.
-----Mensaje original-----
De: Tim Funk [mailto:funkman@apache.org]
Enviado el: miércoles, 08 de junio de 2011 12:44
Para: Tomcat Users List
Asunto: Re: Static resource mapping in web.xml
No - images will be served by the default servlet so nothing needs to be
done for images.
The filter is used as a way to let the invoker work and be a tiny bit more
secure. So the filter is mapped to /* and will forward anything to the
invoker serllet if the requested path *looks like one of your classes*. ...
otherwise the filter uses chain.doFilter(...) to let the request be handled
by any other mapped servlets. (In this case the default servlet)
There are many tutorials on the web about filters
-Tim
On 6/8/2011 11:25 AM, falvarez@geocom.com.uy wrote:
Interesting Tim. But a little confusing for me.
Never used filters, but for what you said and I googled: I would have to
build a filter and map it to "/images/*", right?
Something like:
<filter>
<filter-name>Resource filter</filter-name>
<filter-class>com.mycompany.resourcefilter</filter-class>
</filter>
<filter-mapping>
<filter-name>Resource filter mapped</filter-name>
<servlet-name>/images/*</servlet-name>
</filter-mapping>
If I understand correctly, every request made to this URL path will be
answerd with what I declare in the filter.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Static resource mapping in web.xml
Posted by Tim Funk <fu...@apache.org>.
No - images will be served by the default servlet so nothing needs to be
done for images.
The filter is used as a way to let the invoker work and be a tiny bit more
secure. So the filter is mapped to /* and will forward anything to the
invoker serllet if the requested path *looks like one of your classes*. ...
otherwise the filter uses chain.doFilter(...) to let the request be handled
by any other mapped servlets. (In this case the default servlet)
There are many tutorials on the web about filters
-Tim
On 6/8/2011 11:25 AM, falvarez@geocom.com.uy wrote:
Interesting Tim. But a little confusing for me.
Never used filters, but for what you said and I googled: I would have to
build a filter and map it to "/images/*", right?
Something like:
<filter>
<filter-name>Resource filter</filter-name>
<filter-class>com.mycompany.resourcefilter</filter-class>
</filter>
<filter-mapping>
<filter-name>Resource filter mapped</filter-name>
<servlet-name>/images/*</servlet-name>
</filter-mapping>
If I understand correctly, every request made to this URL path will be
answerd with what I declare in the filter.
RE: Static resource mapping in web.xml
Posted by fa...@geocom.com.uy.
Interesting Tim. But a little confusing for me.
Never used filters, but for what you said and I googled: I would have to
build a filter and map it to "/images/*", right?
Something like:
<filter>
<filter-name>Resource filter</filter-name>
<filter-class>com.mycompany.resourcefilter</filter-class>
</filter>
<filter-mapping>
<filter-name>Resource filter mapped</filter-name>
<servlet-name>/images/*</servlet-name>
</filter-mapping>
If I understand correctly, every request made to this URL path will be
answerd with what I declare in the filter.
Am I in the correct way?
-----Mensaje original-----
De: Tim Funk [mailto:funkman@apache.org]
Enviado el: miércoles, 08 de junio de 2011 11:47
Para: Tomcat Users List
Asunto: Re: Static resource mapping in web.xml
Your "easiest" workaround is to use a filter.
So
1) have the default servlet map to /* (which is the default)
2) keep the invoker declared
3) And make your filter do this ...
doFilter(..) {
if (request.getServletPath().matches(regex-here)) {
servletContext.getNamedDispatcher("invoker").forward(request,response);
return;
}
chain.doFilter(...)
}
Where regex-here is something which limits the mayhem you are imposing on
yourself ..
like this: "/servlet/com\.yourcompany\..+"
-Tim
On 6/8/2011 10:17 AM, falvarez@geocom.com.uy wrote:
Dear all,
I'm faceing the following problem in tomcat (probably just
configuration).
I have a WEBAPP which uses the "invoker" servlet (i know how
bad it is, but for now it gets the job done).
The static content is under "/images/" path.
So a tipical URL was
like"http://host:8080/webapp/servlet/home"
<http://host:8080/webapp/servlet/home>.
To avoid the "servlet" part of the URL I layed hands in
"web.xml".
This is the result:
<web-app>
<servlet-mapping>
<servlet-name>invoker</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>/images/*</url-pattern>
</servlet-mapping>
</web-app>
The problem is that static content is not shown under
"images", it is shown under "images/images".
For example:
http://host:8080/webapp/images/help.png
ERROR
http://host:8080/webapp/images/images/help.png OK
In order to keep things as tidy as possible I would like
static content to be served under "images".
Using ROOT is not an option because this tomcat is shared
among several WEBAPPS.
Is there anything wrong with my configuration or am I
missing something?
This post addresses the same issue:
http://stackoverflow.com/questions/234210/can-anyone-explain-servlet-mapping
Thanks in advance and please excuse my bad English.
Best regards,
Federico.
OS CentOS 5
Tomcat 6.0.29
JVM 1.6.0_20-b02
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Static resource mapping in web.xml
Posted by Tim Funk <fu...@apache.org>.
Your "easiest" workaround is to use a filter.
So
1) have the default servlet map to /* (which is the default)
2) keep the invoker declared
3) And make your filter do this ...
doFilter(..) {
if (request.getServletPath().matches(regex-here)) {
servletContext.getNamedDispatcher("invoker").forward(request,response);
return;
}
chain.doFilter(...)
}
Where regex-here is something which limits the mayhem you are imposing on
yourself ..
like this: "/servlet/com\.yourcompany\..+"
-Tim
On 6/8/2011 10:17 AM, falvarez@geocom.com.uy wrote:
Dear all,
I'm faceing the following problem in tomcat (probably just
configuration).
I have a WEBAPP which uses the "invoker" servlet (i know how
bad it is, but for now it gets the job done).
The static content is under "/images/" path.
So a tipical URL was
like"http://host:8080/webapp/servlet/home"
<http://host:8080/webapp/servlet/home>.
To avoid the "servlet" part of the URL I layed hands in
"web.xml".
This is the result:
<web-app>
<servlet-mapping>
<servlet-name>invoker</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>/images/*</url-pattern>
</servlet-mapping>
</web-app>
The problem is that static content is not shown under
"images", it is shown under "images/images".
For example:
http://host:8080/webapp/images/help.png
ERROR
http://host:8080/webapp/images/images/help.png OK
In order to keep things as tidy as possible I would like
static content to be served under "images".
Using ROOT is not an option because this tomcat is shared
among several WEBAPPS.
Is there anything wrong with my configuration or am I
missing something?
This post addresses the same issue:
http://stackoverflow.com/questions/234210/can-anyone-explain-servlet-mapping
Thanks in advance and please excuse my bad English.
Best regards,
Federico.
OS CentOS 5
Tomcat 6.0.29
JVM 1.6.0_20-b02