You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jacob Kjome <ho...@visi.com> on 2002/05/07 20:04:24 UTC

Re[2]: Help with hiding resources

Hello Kris,

You probably could use a servlet to serve up the .jar file for the
applet.  In the archive attribute, you could have a call to the
servlet which would serve up the .jar file from somewhere other than
the public area of the webapp.  However, they'd still be able to go to
that address to grab the file.

YOu could try using obfuscation to make it so that any decompiled code
is so obtuse that it would be pretty much unusable by anyone else.
That's probably your best solution.

Jake

Tuesday, May 07, 2002, 12:31:14 PM, you wrote:

KK> One more question Alessio (if you don't mind),

KK> If I have to put the jars in a subdirectory of a tomcat context root
KK> directory then is there any way to hide them from someone that can download
KK> them simply by typing http://mydomainname/applications/jars/myjarfile.jar?

KK> Thanks again.

KK> Regards

KK> Kris
KK> -----Original Message-----
KK> From: Alessio Fiore [mailto:afiore@alteanet.it]
KK> Sent: Tuesday, May 07, 2002 10:12 AM
KK> To: 'Tomcat Users List'
KK> Subject: R: Help with hiding resources


>>Thank you Alessio,
>>does this mean that if I put the jar files in WEB-INF/lib directory they
>>will be invisible to the browser? The WEB-INF/lib directory is a
>>subdirectory off of the Root directory called "applications", which is the
>>directory hosting the jsp files launching the applets and as such it should
>>be accessible by the applet that the codbase points to applications
>>directory (at least this is my understanding). Does Tomcat prohibit the
KK> html
>>page generated by the <jsp:plugin> from accessing the jar files in the
>>WEB-INF/lib directory?  And if so do they have to be in a generic directory
>>off of the root directory?


KK> Yes, WEB-INF and META-INF subdirs of a tomcat context root directory are not
KK> accessible externally (so the browser doesn't have access to any file under
KK> these dirs). They're just accessible internally (by the server-side
KK> application). Your applet files (.class or .jar) must be visible by the
KK> browser, because their reference is put in JSP-generated HTML page (that is
KK> parsed and managed by the browser itself), so you have to put them under a
KK> subdirectory of "applications" other than WEB-INF.

KK> Regards
KK> Alessio

>>Sorry if my mumbling is confusing I am just trying to understand what my
>>options are.

>>Thanks

>>Kris

KK> -----Original Message-----
KK> From: Alessio Fiore [mailto:afiore@alteanet.it]
KK> Sent: Tuesday, May 07, 2002 9:37 AM
KK> To: 'Tomcat Users List'
KK> Subject: R: Help with hiding resources


KK> Hi Kris, the jar that contains the applet and related classes *must* be
KK> accessible by the browser. If not the browser could not load it and extract
KK> the applet (throwing the java.io.FileNotFoundException).


KK> -----Messaggio originale-----
KK> Da: Kris Kras [mailto:KKras@mectrol.com]
KK> Inviato: martedì 7 maggio 2002 15.09
KK> A: tomcat-user@jakarta.apache.org
KK> Oggetto: Help with hiding resources


KK> Hello all,

KK> I have an application using jsps, servlets and applets runing under Tomcat
KK> 4.03 and Struts 1.0 (win2k server).
KK> My application is located under "C:\Tomcat4\webapps\applications\" and all
KK> jsp files are there. Some jsps launch applets through <jsp:plugin> tags.
KK> Applets are packaged in jars located in
KK> "C:\Tomcat4\webapps\applications\jars\". A code fragment launching applets
KK> looks like this:
KK>     <jsp:plugin
KK>       type = "applet"
KK>       code = "myapplet.MyAppletClass.class"
KK>       archive = "jars/myapplet.jar"
KK>       codebase = "."
KK>       ...

KK> When I run the jsp files everything works great and applets launch
KK> correctly.

KK> The problem is that with this directory structure the jar files are visible
KK> and can be downloaded by typing
KK> "http://www.domainmame.com/applications/jars/" or
KK> "http://www.domainmame.com/applications/jars/myapplet.jar" and ultimatelly
KK> decompiled. I would like to hide the resources (jar files and everything
KK> else that is located in subdirectiories of "\applications\". I have tried
KK> putting the jar files in "C:\Tomcat4\webapps\applications\WEB_INF\lib\"
KK> where all other jar files (struts.jar, etc.) are located, but then
KK> regardless of what I used for "archive" and "codebase" parameters in
KK> <jsp:plugin> tag I get and file not found exception in the plugin console
KK> (java.io.FileNotFoundException:
KK> http://www.domainmame.com/applications/WEB-INF/lib/myapplet.jar) even though
KK> the jar file is there.

KK> I have tried setting the following values for "archive" and "codebase"
KK> parameters in <jsp:plugin> tag with the jar file in
KK> "C:\Tomcat4\webapps\applications\WEB_INF\lib\":

KK>       archive = "myapplet.jar"
KK>       codebase = "."

KK>       archive = "/WEB-INF/lib/myapplet.jar"
KK>       codebase = "."

KK>       archive = "myapplet.jar"
KK>       codebase = "/"

KK>       archive = "myapplet.jar"
KK>       codebase = "/applications/WEB-INF/lib/"

KK> None of the combinations worked. Can anyone help me with configuring these
KK> two parameters so the Tomcat can find myapplet.jar.

KK> Or is there a better solution to hiding resources under Tomcat.

KK> Any help would be greatly appreciated.

KK> Thanks

KK> Kris


KK> --
KK> To unsubscribe, e-mail:
KK> <ma...@jakarta.apache.org>
KK> For additional commands, e-mail:
KK> <ma...@jakarta.apache.org>



KK> - Disclaimer -
KK> This email and any attachments thereto may contain information which is
KK> confidential and/or protected by intellectual property rights and are
KK> intended for the sole use of the recipient(s) named above. Any use of the
KK> information contained herein (including, but not limited to, total or
KK> partial reproduction, communication or distribution in any form) or the
KK> taking of any action in reliance on the contents, by persons other than the
KK> designated recipient(s) is strictly prohibited.

KK> If you have received this email in error, please notify the sender either by
KK> telephone or by email and delete the material from any computer.

KK> Thank you for your cooperation.



KK> --
KK> To unsubscribe, e-mail:
KK> <ma...@jakarta.apache.org>
KK> For additional commands, e-mail:
KK> <ma...@jakarta.apache.org>


KK> --
KK> To unsubscribe, e-mail:
KK> <ma...@jakarta.apache.org>
KK> For additional commands, e-mail:
KK> <ma...@jakarta.apache.org>



KK> - Disclaimer -
KK> This email and any attachments thereto may contain information which is
KK> confidential and/or protected by intellectual property rights and are
KK> intended for the sole use of the recipient(s) named above. Any use of the
KK> information contained herein (including, but not limited to, total or
KK> partial reproduction, communication or distribution in any form) or the
KK> taking of any action in reliance on the contents, by persons other than the
KK> designated recipient(s) is strictly prohibited.

KK> If you have received this email in error, please notify the sender either by
KK> telephone or by email and delete the material from any computer.

KK> Thank you for your cooperation.



KK> --
KK> To unsubscribe, e-mail:
KK> <ma...@jakarta.apache.org>
KK> For additional commands, e-mail:
KK> <ma...@jakarta.apache.org>


KK> --
KK> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
KK> For additional commands, e-mail: <ma...@jakarta.apache.org>



-- 
Best regards,
 Jacob                            mailto:hoju@visi.com


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>