You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Albert Moliner <am...@evintia.com> on 2003/12/12 11:36:17 UTC

Disabling JSP execution under certain dirs

Hello.

I've searched the archives on this subject, but the nearest I've reached has
been some posts about not serving static content. It's a bit of a surprise that
no one has asked this before, so sorry if it is a recurrent question.

I want Tomcat (4) to execute JSPs as usual, but prevent it from running the
files that are under a certain directory for security reasons. These files can
be published by external people and are supposed to be static, but if some
mischievous publisher posts a JSP and it is executed then there can be havoc.

Apart from preventing the publishing of files with that extension, is there a
possible configuration that can be set up?

I've tried mapping requests to that dir to the default servlet in web.xml, but
404 errors are returned (why??), and some other wierd things like using an
intermediate servlet that forwards to the default servlet through its named
request dispatcher (the forward method does not seem to do anything when using
the dault servlet, while any other seems to work) or setting up a separate
context for that dir and forward requests to the context, which maps *.jsp to
the default context (I'll skip the details), but I can't find the solution...

What astonishes me more is that forwarding or mapping to the default servlet
does not work, but anyway I must be doing something wrong...

Thank you very much,

Albert.



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Disabling JSP execution under certain dirs

Posted by Ben Souther <bs...@fwdco.com>.

> One thing you could try is a servlet mapping that sends all requests ending
> in that directory that end with .jsp

...all requests FROM that directory that end with ".jsp". 

Haven't had my coffee yet...... ;-)


On Friday 12 December 2003 09:36 am, Ben Souther wrote:
> It sounds like Albert wants certain (static) files to be viewable.
> He just doesn't want anyone to be able to execute JSPs from this directory.
>
> One thing you could try is a servlet mapping that sends all requests ending
> in that directory that end with .jsp to a servlet that sends back a message
> ("FORBIDDEN FILE").
>
>   <servlet-mapping>
>     <servlet-name>ForbiddenFileServlet</servlet-name>
>     <url-pattern>/DIRECTORY_NAME/*.jsp</url-pattern>
>   </servlet-mapping>
>
> -Ben
>
> On Friday 12 December 2003 09:10 am, Tim Funk wrote:
> > Ideally, files you don't want to be seen should be placed in WEB-INF.
> >
> > An alternative is to use a security constraint on the directory that has
> > all of the content. This can be done in apache too via the <Location>
> > directive.
> >
> > Another way is to place all those JSP's with a different extension and
> > then add the mapping to web.xml. Then add the security contraint for that
> > file extension. (Or let apache disallow that file extension)
> >
> > Forwarding to the default servelt WILL provide a 404 because it is a 404.
> > The default servlet gets any request not assigned to any other servlet.
> > So if the default servlet find the resource, it returns a 404.
> >
> > -Tim
> >
> > Albert Moliner wrote:
> > > Hello.
> > >
> > > I've searched the archives on this subject, but the nearest I've
> > > reached has been some posts about not serving static content. It's a
> > > bit of a surprise that no one has asked this before, so sorry if it is
> > > a recurrent question.
> > >
> > > I want Tomcat (4) to execute JSPs as usual, but prevent it from running
> > > the files that are under a certain directory for security reasons.
> > > These files can be published by external people and are supposed to be
> > > static, but if some mischievous publisher posts a JSP and it is
> > > executed then there can be havoc.
> > >
> > > Apart from preventing the publishing of files with that extension, is
> > > there a possible configuration that can be set up?
> > >
> > > I've tried mapping requests to that dir to the default servlet in
> > > web.xml, but 404 errors are returned (why??), and some other wierd
> > > things like using an intermediate servlet that forwards to the default
> > > servlet through its named request dispatcher (the forward method does
> > > not seem to do anything when using the dault servlet, while any other
> > > seems to work) or setting up a separate context for that dir and
> > > forward requests to the context, which maps *.jsp to the default
> > > context (I'll skip the details), but I can't find the solution...
> > >
> > > What astonishes me more is that forwarding or mapping to the default
> > > servlet does not work, but anyway I must be doing something wrong...
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

-- 
Ben Souther
F.W. Davison & Company, Inc.



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Disabling JSP execution under certain dirs

Posted by Ben Souther <bs...@fwdco.com>.

Hmm... 
Should have tested the theory before suggesting it. 
I knew you could use wildcards in the mappings.
I assumed it was more robust....
Sorry.


On Friday 12 December 2003 10:24 am, Mark R. Diggory wrote:
> Yes, Unfortunately, I bounced off this as well, it would have behooved
> the Servlet API developers to allow URL Rewrites to be a little more
> powerful from a REGEXP standpoint. Look at the j2sdk1.4 api, we now have
> regexp's available there default. One would suspect that the Servlet API
> could easily start allowing more complex regexp into these entries.
>
> I would recommend writing a Filter that gets run prior to all jsp's and
> applying your own regexp/forwarding to the jsp's when you deem it
> appropriate. This requires j2sdk 1.4 and is pseudo code.
>
>
> public final class BlockJspFilter implements Filter {
>
>     String regexp = "*.(/foo/bar.jsp|/bim/bam.jsp).*";
>
>     public void doFilter(ServletRequest request,
>        ServletResponse response, FilterChain chain)
>        throws IOException, ServletException {
>
>        if(request.getRequestURL().matches(regexp)){
>        	/*send an error response*/
>        else{
> 	chain.doFilter(request, wrapper);
>        }
>        ...
>     }
> }
>
>     <filter>
>        <filter-name>BlockJspFilter</filter-name>
>        <filter-class>BlockJspFilter</filter-class>
>     </filter>
>     <filter-mapping>
>        <filter-name>BlockJspFilter</filter-name>
>        <url-pattern>*.jsp</url-pattern>
>     </filter-mapping>
>
> One could even go as far as to use the FilterConfig to pass in the
> regexps which could then be dynamically adjusted in the web.xml
>
> http://java.sun.com/products/servlet/Filters.html
>
> -Mark Diggory
>
> Albert Moliner wrote:
> > Finally I'll add the restriction on publication, but anyway it would nice
> > to know whether there's a solution to prevent the JSP from being served
> > (yes, retrieving an error message or just returning the JSP contents
> > without executing the class would be alright), at least for the sake of
> > knowing.
> >
> > The only problem with your alternative is that the mapping is not valid:
> > Perhaps Tomcat accepts it (I don't think so, as manymonths ago I tried
> > similar mappings and did not succeed), but anyway the servlet specs only
> > regard four types of mapping:
> > - exact path,
> > - directory ("/foo/bar/*"),
> > - extension ("*.jsp"),
> > - default("/").
> > I don't know why (performance?), but there's no place for things like
> > "/whatever/*.ext".
> >
> > About Tim's answer, there are some things that I don't see clear,
> > basically dealing with the default servlet. The default servlet is after
> > all a servlet, so it ought to be "forwardable" (something to do with
> > having it defined in the general web.xml and the forwarder servlet in the
> > app's?). Anyway, the security constraint seems the best approach. I'll
> > look up the security documentation.
> >
> > Thank you very much (though alternatives are still welcome, as I said
> > before).
> >
> > Albert.
> >
> >
> > ----- Original Message -----
> > From: "Ben Souther" <bs...@fwdco.com>
> > To: "Tomcat Users List" <to...@jakarta.apache.org>
> > Sent: Friday, December 12, 2003 3:36 PM
> > Subject: Re: Disabling JSP execution under certain dirs
> >
> >
> > It sounds like Albert wants certain (static) files to be viewable.
> > He just doesn't want anyone to be able to execute JSPs from this
> > directory.
> >
> > One thing you could try is a servlet mapping that sends all requests
> > ending in that directory that end with .jsp to a servlet that sends back
> > a message ("FORBIDDEN FILE").
> >
> >   <servlet-mapping>
> >     <servlet-name>ForbiddenFileServlet</servlet-name>
> >     <url-pattern>/DIRECTORY_NAME/*.jsp</url-pattern>
> >   </servlet-mapping>
> >
> > -Ben
> >
> > On Friday 12 December 2003 09:10 am, Tim Funk wrote:
> >>Ideally, files you don't want to be seen should be placed in WEB-INF.
> >>
> >>An alternative is to use a security constraint on the directory that has
> >>all of the content. This can be done in apache too via the <Location>
> >>directive.
> >>
> >>Another way is to place all those JSP's with a different extension and
> >> then add the mapping to web.xml. Then add the security contraint for
> >> that file extension. (Or let apache disallow that file extension)
> >>
> >>Forwarding to the default servelt WILL provide a 404 because it is a 404.
> >>The default servlet gets any request not assigned to any other servlet.
> >> So if the default servlet find the resource, it returns a 404.
> >>
> >>-Tim
> >>
> >>Albert Moliner wrote:
> >>>Hello.
> >>>
> >>>I've searched the archives on this subject, but the nearest I've reached
> >>>has been some posts about not serving static content. It's a bit of a
> >>>surprise that no one has asked this before, so sorry if it is a
> >>> recurrent question.
> >>>
> >>>I want Tomcat (4) to execute JSPs as usual, but prevent it from running
> >>>the files that are under a certain directory for security reasons. These
> >>>files can be published by external people and are supposed to be static,
> >>>but if some mischievous publisher posts a JSP and it is executed then
> >>>there can be havoc.
> >>>
> >>>Apart from preventing the publishing of files with that extension, is
> >>>there a possible configuration that can be set up?
> >>>
> >>>I've tried mapping requests to that dir to the default servlet in
> >>>web.xml, but 404 errors are returned (why??), and some other wierd
> >>> things like using an intermediate servlet that forwards to the default
> >>> servlet through its named request dispatcher (the forward method does
> >>> not seem to do anything when using the dault servlet, while any other
> >>> seems to work) or setting up a separate context for that dir and
> >>> forward requests to the context, which maps *.jsp to the default
> >>> context (I'll skip the details), but I can't find the solution...
> >>>
> >>>What astonishes me more is that forwarding or mapping to the default
> >>>servlet does not work, but anyway I must be doing something wrong...
> >>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> > --
> > Ben Souther
> > F.W. Davison & Company, Inc.
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

-- 
Ben Souther
F.W. Davison & Company, Inc.



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Disabling JSP execution under certain dirs

Posted by Tim Funk <fu...@joedog.org>.

Yup - the spec sucks with respect to combining path prefix and extension 
mapping. :( The ideal solution is still to put the jsps inside WEB-INF or to 
use apache and disallow via a deny directive.

As for the default servlet, you can add a init parameter to it for debugging, 
if you set it to 99, it may provide some insight as to what the default 
servlet is trying to do with respect to the way it is being called.

-Tim

Albert Moliner wrote:

> Finally I'll add the restriction on publication, but anyway it would nice to
> know whether there's a solution to prevent the JSP from being served (yes,
> retrieving an error message or just returning the JSP contents without executing
> the class would be alright), at least for the sake of knowing.
> 
> The only problem with your alternative is that the mapping is not valid: Perhaps
> Tomcat accepts it (I don't think so, as manymonths ago I tried similar mappings
> and did not succeed), but anyway the servlet specs only regard four types of
> mapping:
> - exact path,
> - directory ("/foo/bar/*"),
> - extension ("*.jsp"),
> - default("/").
> I don't know why (performance?), but there's no place for things like
> "/whatever/*.ext".
> 
> About Tim's answer, there are some things that I don't see clear, basically
> dealing with the default servlet. The default servlet is after all a servlet, so
> it ought to be "forwardable" (something to do with having it defined in the
> general web.xml and the forwarder servlet in the app's?). Anyway, the security
> constraint seems the best approach. I'll look up the security documentation.
> 
> Thank you very much (though alternatives are still welcome, as I said before).
> 
> Albert.
> 
> 
> ----- Original Message -----
> From: "Ben Souther" <bs...@fwdco.com>
> To: "Tomcat Users List" <to...@jakarta.apache.org>
> Sent: Friday, December 12, 2003 3:36 PM
> Subject: Re: Disabling JSP execution under certain dirs
> 
> 
> It sounds like Albert wants certain (static) files to be viewable.
> He just doesn't want anyone to be able to execute JSPs from this directory.
> 
> One thing you could try is a servlet mapping that sends all requests ending in
> that directory that end with .jsp to a servlet that sends back a message
> ("FORBIDDEN FILE").
> 
>   <servlet-mapping>
>     <servlet-name>ForbiddenFileServlet</servlet-name>
>     <url-pattern>/DIRECTORY_NAME/*.jsp</url-pattern>
>   </servlet-mapping>
> 
> -Ben
> 
> On Friday 12 December 2003 09:10 am, Tim Funk wrote:
> 
>>Ideally, files you don't want to be seen should be placed in WEB-INF.
>>
>>An alternative is to use a security constraint on the directory that has
>>all of the content. This can be done in apache too via the <Location>
>>directive.
>>
>>Another way is to place all those JSP's with a different extension and then
>>add the mapping to web.xml. Then add the security contraint for that file
>>extension. (Or let apache disallow that file extension)
>>
>>Forwarding to the default servelt WILL provide a 404 because it is a 404.
>>The default servlet gets any request not assigned to any other servlet. So
>>if the default servlet find the resource, it returns a 404.
>>
>>-Tim
>>
>>Albert Moliner wrote:
>>
>>>Hello.
>>>
>>>I've searched the archives on this subject, but the nearest I've reached
>>>has been some posts about not serving static content. It's a bit of a
>>>surprise that no one has asked this before, so sorry if it is a recurrent
>>>question.
>>>
>>>I want Tomcat (4) to execute JSPs as usual, but prevent it from running
>>>the files that are under a certain directory for security reasons. These
>>>files can be published by external people and are supposed to be static,
>>>but if some mischievous publisher posts a JSP and it is executed then
>>>there can be havoc.
>>>
>>>Apart from preventing the publishing of files with that extension, is
>>>there a possible configuration that can be set up?
>>>
>>>I've tried mapping requests to that dir to the default servlet in
>>>web.xml, but 404 errors are returned (why??), and some other wierd things
>>>like using an intermediate servlet that forwards to the default servlet
>>>through its named request dispatcher (the forward method does not seem to
>>>do anything when using the dault servlet, while any other seems to work)
>>>or setting up a separate context for that dir and forward requests to the
>>>context, which maps *.jsp to the default context (I'll skip the details),
>>>but I can't find the solution...
>>>
>>>What astonishes me more is that forwarding or mapping to the default
>>>servlet does not work, but anyway I must be doing something wrong...
>> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Disabling JSP execution under certain dirs

Posted by "Mark R. Diggory" <md...@latte.harvard.edu>.

If I understand correctly chain.doFilter(request, wrapper); is basically
managing the forwarding behavior your looking to accomplish during the
decision making process (IE to execute the servlet, jsp, or return
static content via the default servlet.

In otherwords, if the request matches a specific pattern, then pass it
onto the next filter, eventually this will hit the default or jsp
servlets for you without your needing to resolve the servlet that will
be at the end.

In instances where you recognize in the regexp that you don't want this
behavior your going to need logic to determine what the alternate
behavior would be.

In terms of aquiring the default servlet:

Speculation: the RequestDispatcher may be doing "mapping" internally
too, so you may need to be doing something like the following in your
web.xml to actually aquire a request dispatcher directly to the servlet.

<servlet-mapping>
	<servlet-name>default</servlet-name>
	<url-pattern>blaa</url-pattern>
</servlet-mapping>

RequestDispatcher defaultDispatcher =
getServletContext().getNamedDispatcher("blaa");
defaultDispatcher.forward(request, response);

But this is just speculation.

-Mark

Albert Moliner wrote:
> Touché.
> I don't know why I had not thought of filters for this...
> 
> Oh, yes, now I know:
> My initial intention was to return the JSP file contents as if it were a .txt
> file, and though ServletContext.getResourceAsStream could be used, it involved
> having to implement the same behaviour as the default servlet does (last
> modified checks, etc.). So after all I wanted the default servlet to serve the
> request, and the filter would have needed the same behaviour as the forwarding
> servlet I had implemented.
> 
> Therefore, my question now becomes: If I needed the default servlet (or the jsp
> servlet, as it seems to have the same problems) to serve all requests inside a
> subdirectory, or perhaps just some files with a pattern under a subdir, how
> should I proceed?
> 
> In other words: What's wrong with doing (don't consider code quality, it's just
> to show the procedure)
> 
> ----
>     RequestDispatcher defaultDispatcher =
> getServletContext().getNamedDispatcher("default");
>     defaultDispatcher.forward(request, response);
> ----
> 
> ? Why doesn't it work (and "jsp" doesn't, either), while any other servlet name
> just seems to work fine?
> 
> Or, otherwise, in the app's web.xml,
> 
> ----
>     <servlet-mapping>
>         <servlet-name>default</servlet-name>
>         <url-pattern>/foo/bar/*</url-pattern>
>     </servlet-mapping>
> ----
> 
> ? Amazingly,
> 
> ----
>     <servlet-mapping>
>         <servlet-name>default</servlet-name>
>         <url-pattern>/foo/bar/file.jsp</url-pattern>
>     </servlet-mapping>
> ----
> 
> does seem to work, while not the "/foo/bar/*" mapping (and this mapping works
> with any other servlet name defined in the same web.xml file).
> 
> Is it that today it's a Friday? Am I misunderstanding something very basic? Is
> this a common behaviour, or just happens in Tomcat (4.1.something)?
> 
> Thanks,
> Albert.
> 
> 
> ----- Original Message -----
> From: "Mark R. Diggory" <md...@latte.harvard.edu>
> To: "Tomcat Users List" <to...@jakarta.apache.org>
> Sent: Friday, December 12, 2003 4:24 PM
> Subject: Re: Disabling JSP execution under certain dirs
> 
> 
> 
>>Yes, Unfortunately, I bounced off this as well, it would have behooved
>>the Servlet API developers to allow URL Rewrites to be a little more
>>powerful from a REGEXP standpoint. Look at the j2sdk1.4 api, we now have
>>regexp's available there default. One would suspect that the Servlet API
>>could easily start allowing more complex regexp into these entries.
>>
>>I would recommend writing a Filter that gets run prior to all jsp's and
>>applying your own regexp/forwarding to the jsp's when you deem it
>>appropriate. This requires j2sdk 1.4 and is pseudo code.
>>
>>
>>public final class BlockJspFilter implements Filter {
>>
>>    String regexp = "*.(/foo/bar.jsp|/bim/bam.jsp).*";
>>
>>    public void doFilter(ServletRequest request,
>>       ServletResponse response, FilterChain chain)
>>       throws IOException, ServletException {
>>
>>       if(request.getRequestURL().matches(regexp)){
>>       /*send an error response*/
>>       else{
>>chain.doFilter(request, wrapper);
>>       }
>>       ...
>>    }
>>}
>>
>>    <filter>
>>       <filter-name>BlockJspFilter</filter-name>
>>       <filter-class>BlockJspFilter</filter-class>
>>    </filter>
>>    <filter-mapping>
>>       <filter-name>BlockJspFilter</filter-name>
>>       <url-pattern>*.jsp</url-pattern>
>>    </filter-mapping>
>>
>>One could even go as far as to use the FilterConfig to pass in the
>>regexps which could then be dynamically adjusted in the web.xml
>>
>>http://java.sun.com/products/servlet/Filters.html
>>
>>-Mark Diggory
>>
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 

-- 
Mark Diggory
Software Developer
Harvard MIT Data Center
http://osprey.hmdc.harvard.edu



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Disabling JSP execution under certain dirs

Posted by "Mark R. Diggory" <md...@latte.harvard.edu>.

If I understand correctly chain.doFilter(request, wrapper); is basically 
managing the forwarding behavior your looking to accomplish during the 
decision making process (IE to execute the servlet, jsp, or return 
static content via the default servlet.

In otherwords, if the request matches a specific pattern, then pass it 
onto the next filter, eventually this will hit the default or jsp 
servlets for you without your needing to resolve the servlet that will 
be at the end.

In instances where you recognize in the regexp that you don't want this 
behavior your going to need logic to determine what the alternate 
behavior would be.

In terms of aquiring the default servlet:

Speculation: the RequestDispatcher may be doing "mapping" internally 
too, so you may need to be doing something like the following in your 
web.xml to actually aquire a request dispatcher directly to the servlet.

<servlet-mapping>
	<servlet-name>default</servlet-name>
	<url-pattern>blaa</url-pattern>
</servlet-mapping>

RequestDispatcher defaultDispatcher =
getServletContext().getNamedDispatcher("blaa");
defaultDispatcher.forward(request, response);

But this is just speculation.

-Mark

Albert Moliner wrote:
> Touché.
> I don't know why I had not thought of filters for this...
> 
> Oh, yes, now I know:
> My initial intention was to return the JSP file contents as if it were a .txt
> file, and though ServletContext.getResourceAsStream could be used, it involved
> having to implement the same behaviour as the default servlet does (last
> modified checks, etc.). So after all I wanted the default servlet to serve the
> request, and the filter would have needed the same behaviour as the forwarding
> servlet I had implemented.
> 
> Therefore, my question now becomes: If I needed the default servlet (or the jsp
> servlet, as it seems to have the same problems) to serve all requests inside a
> subdirectory, or perhaps just some files with a pattern under a subdir, how
> should I proceed?
> 
> In other words: What's wrong with doing (don't consider code quality, it's just
> to show the procedure)
> 
> ----
>     RequestDispatcher defaultDispatcher =
> getServletContext().getNamedDispatcher("default");
>     defaultDispatcher.forward(request, response);
> ----
> 
> ? Why doesn't it work (and "jsp" doesn't, either), while any other servlet name
> just seems to work fine?
> 
> Or, otherwise, in the app's web.xml,
> 
> ----
>     <servlet-mapping>
>         <servlet-name>default</servlet-name>
>         <url-pattern>/foo/bar/*</url-pattern>
>     </servlet-mapping>
> ----
> 
> ? Amazingly,
> 
> ----
>     <servlet-mapping>
>         <servlet-name>default</servlet-name>
>         <url-pattern>/foo/bar/file.jsp</url-pattern>
>     </servlet-mapping>
> ----
> 
> does seem to work, while not the "/foo/bar/*" mapping (and this mapping works
> with any other servlet name defined in the same web.xml file).
> 
> Is it that today it's a Friday? Am I misunderstanding something very basic? Is
> this a common behaviour, or just happens in Tomcat (4.1.something)?
> 
> Thanks,
> Albert.
> 
> 
> ----- Original Message -----
> From: "Mark R. Diggory" <md...@latte.harvard.edu>
> To: "Tomcat Users List" <to...@jakarta.apache.org>
> Sent: Friday, December 12, 2003 4:24 PM
> Subject: Re: Disabling JSP execution under certain dirs
> 
> 
> 
>>Yes, Unfortunately, I bounced off this as well, it would have behooved
>>the Servlet API developers to allow URL Rewrites to be a little more
>>powerful from a REGEXP standpoint. Look at the j2sdk1.4 api, we now have
>>regexp's available there default. One would suspect that the Servlet API
>>could easily start allowing more complex regexp into these entries.
>>
>>I would recommend writing a Filter that gets run prior to all jsp's and
>>applying your own regexp/forwarding to the jsp's when you deem it
>>appropriate. This requires j2sdk 1.4 and is pseudo code.
>>
>>
>>public final class BlockJspFilter implements Filter {
>>
>>    String regexp = "*.(/foo/bar.jsp|/bim/bam.jsp).*";
>>
>>    public void doFilter(ServletRequest request,
>>       ServletResponse response, FilterChain chain)
>>       throws IOException, ServletException {
>>
>>       if(request.getRequestURL().matches(regexp)){
>>       /*send an error response*/
>>       else{
>>chain.doFilter(request, wrapper);
>>       }
>>       ...
>>    }
>>}
>>
>>    <filter>
>>       <filter-name>BlockJspFilter</filter-name>
>>       <filter-class>BlockJspFilter</filter-class>
>>    </filter>
>>    <filter-mapping>
>>       <filter-name>BlockJspFilter</filter-name>
>>       <url-pattern>*.jsp</url-pattern>
>>    </filter-mapping>
>>
>>One could even go as far as to use the FilterConfig to pass in the
>>regexps which could then be dynamically adjusted in the web.xml
>>
>>http://java.sun.com/products/servlet/Filters.html
>>
>>-Mark Diggory
>>
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 

-- 
Mark Diggory
Software Developer
Harvard MIT Data Center
http://osprey.hmdc.harvard.edu

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Disabling JSP execution under certain dirs

Posted by Albert Moliner <am...@evintia.com>.

Touché.
I don't know why I had not thought of filters for this...

Oh, yes, now I know:
My initial intention was to return the JSP file contents as if it were a .txt
file, and though ServletContext.getResourceAsStream could be used, it involved
having to implement the same behaviour as the default servlet does (last
modified checks, etc.). So after all I wanted the default servlet to serve the
request, and the filter would have needed the same behaviour as the forwarding
servlet I had implemented.

Therefore, my question now becomes: If I needed the default servlet (or the jsp
servlet, as it seems to have the same problems) to serve all requests inside a
subdirectory, or perhaps just some files with a pattern under a subdir, how
should I proceed?

In other words: What's wrong with doing (don't consider code quality, it's just
to show the procedure)

----
    RequestDispatcher defaultDispatcher =
getServletContext().getNamedDispatcher("default");
    defaultDispatcher.forward(request, response);
----

? Why doesn't it work (and "jsp" doesn't, either), while any other servlet name
just seems to work fine?

Or, otherwise, in the app's web.xml,

----
    <servlet-mapping>
        <servlet-name>default</servlet-name>
        <url-pattern>/foo/bar/*</url-pattern>
    </servlet-mapping>
----

? Amazingly,

----
    <servlet-mapping>
        <servlet-name>default</servlet-name>
        <url-pattern>/foo/bar/file.jsp</url-pattern>
    </servlet-mapping>
----

does seem to work, while not the "/foo/bar/*" mapping (and this mapping works
with any other servlet name defined in the same web.xml file).

Is it that today it's a Friday? Am I misunderstanding something very basic? Is
this a common behaviour, or just happens in Tomcat (4.1.something)?

Thanks,
Albert.


----- Original Message -----
From: "Mark R. Diggory" <md...@latte.harvard.edu>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Friday, December 12, 2003 4:24 PM
Subject: Re: Disabling JSP execution under certain dirs


> Yes, Unfortunately, I bounced off this as well, it would have behooved
> the Servlet API developers to allow URL Rewrites to be a little more
> powerful from a REGEXP standpoint. Look at the j2sdk1.4 api, we now have
> regexp's available there default. One would suspect that the Servlet API
> could easily start allowing more complex regexp into these entries.
>
> I would recommend writing a Filter that gets run prior to all jsp's and
> applying your own regexp/forwarding to the jsp's when you deem it
> appropriate. This requires j2sdk 1.4 and is pseudo code.
>
>
> public final class BlockJspFilter implements Filter {
>
>     String regexp = "*.(/foo/bar.jsp|/bim/bam.jsp).*";
>
>     public void doFilter(ServletRequest request,
>        ServletResponse response, FilterChain chain)
>        throws IOException, ServletException {
>
>        if(request.getRequestURL().matches(regexp)){
>        /*send an error response*/
>        else{
> chain.doFilter(request, wrapper);
>        }
>        ...
>     }
> }
>
>     <filter>
>        <filter-name>BlockJspFilter</filter-name>
>        <filter-class>BlockJspFilter</filter-class>
>     </filter>
>     <filter-mapping>
>        <filter-name>BlockJspFilter</filter-name>
>        <url-pattern>*.jsp</url-pattern>
>     </filter-mapping>
>
> One could even go as far as to use the FilterConfig to pass in the
> regexps which could then be dynamically adjusted in the web.xml
>
> http://java.sun.com/products/servlet/Filters.html
>
> -Mark Diggory
>



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Disabling JSP execution under certain dirs

Posted by "Mark R. Diggory" <md...@latte.harvard.edu>.

Yes, Unfortunately, I bounced off this as well, it would have behooved 
the Servlet API developers to allow URL Rewrites to be a little more 
powerful from a REGEXP standpoint. Look at the j2sdk1.4 api, we now have 
regexp's available there default. One would suspect that the Servlet API 
could easily start allowing more complex regexp into these entries.

I would recommend writing a Filter that gets run prior to all jsp's and 
applying your own regexp/forwarding to the jsp's when you deem it 
appropriate. This requires j2sdk 1.4 and is pseudo code.


public final class BlockJspFilter implements Filter {

    String regexp = "*.(/foo/bar.jsp|/bim/bam.jsp).*";

    public void doFilter(ServletRequest request,
       ServletResponse response, FilterChain chain)
       throws IOException, ServletException {

       if(request.getRequestURL().matches(regexp)){
       	/*send an error response*/
       else{
	chain.doFilter(request, wrapper);
       }
       ...
    }
}

    <filter>
       <filter-name>BlockJspFilter</filter-name>
       <filter-class>BlockJspFilter</filter-class>
    </filter>
    <filter-mapping>
       <filter-name>BlockJspFilter</filter-name>
       <url-pattern>*.jsp</url-pattern>
    </filter-mapping>

One could even go as far as to use the FilterConfig to pass in the 
regexps which could then be dynamically adjusted in the web.xml

http://java.sun.com/products/servlet/Filters.html

-Mark Diggory


Albert Moliner wrote:
> Finally I'll add the restriction on publication, but anyway it would nice to
> know whether there's a solution to prevent the JSP from being served (yes,
> retrieving an error message or just returning the JSP contents without executing
> the class would be alright), at least for the sake of knowing.
> 
> The only problem with your alternative is that the mapping is not valid: Perhaps
> Tomcat accepts it (I don't think so, as manymonths ago I tried similar mappings
> and did not succeed), but anyway the servlet specs only regard four types of
> mapping:
> - exact path,
> - directory ("/foo/bar/*"),
> - extension ("*.jsp"),
> - default("/").
> I don't know why (performance?), but there's no place for things like
> "/whatever/*.ext".
> 
> About Tim's answer, there are some things that I don't see clear, basically
> dealing with the default servlet. The default servlet is after all a servlet, so
> it ought to be "forwardable" (something to do with having it defined in the
> general web.xml and the forwarder servlet in the app's?). Anyway, the security
> constraint seems the best approach. I'll look up the security documentation.
> 
> Thank you very much (though alternatives are still welcome, as I said before).
> 
> Albert.
> 
> 
> ----- Original Message -----
> From: "Ben Souther" <bs...@fwdco.com>
> To: "Tomcat Users List" <to...@jakarta.apache.org>
> Sent: Friday, December 12, 2003 3:36 PM
> Subject: Re: Disabling JSP execution under certain dirs
> 
> 
> It sounds like Albert wants certain (static) files to be viewable.
> He just doesn't want anyone to be able to execute JSPs from this directory.
> 
> One thing you could try is a servlet mapping that sends all requests ending in
> that directory that end with .jsp to a servlet that sends back a message
> ("FORBIDDEN FILE").
> 
>   <servlet-mapping>
>     <servlet-name>ForbiddenFileServlet</servlet-name>
>     <url-pattern>/DIRECTORY_NAME/*.jsp</url-pattern>
>   </servlet-mapping>
> 
> -Ben
> 
> On Friday 12 December 2003 09:10 am, Tim Funk wrote:
> 
>>Ideally, files you don't want to be seen should be placed in WEB-INF.
>>
>>An alternative is to use a security constraint on the directory that has
>>all of the content. This can be done in apache too via the <Location>
>>directive.
>>
>>Another way is to place all those JSP's with a different extension and then
>>add the mapping to web.xml. Then add the security contraint for that file
>>extension. (Or let apache disallow that file extension)
>>
>>Forwarding to the default servelt WILL provide a 404 because it is a 404.
>>The default servlet gets any request not assigned to any other servlet. So
>>if the default servlet find the resource, it returns a 404.
>>
>>-Tim
>>
>>Albert Moliner wrote:
>>
>>>Hello.
>>>
>>>I've searched the archives on this subject, but the nearest I've reached
>>>has been some posts about not serving static content. It's a bit of a
>>>surprise that no one has asked this before, so sorry if it is a recurrent
>>>question.
>>>
>>>I want Tomcat (4) to execute JSPs as usual, but prevent it from running
>>>the files that are under a certain directory for security reasons. These
>>>files can be published by external people and are supposed to be static,
>>>but if some mischievous publisher posts a JSP and it is executed then
>>>there can be havoc.
>>>
>>>Apart from preventing the publishing of files with that extension, is
>>>there a possible configuration that can be set up?
>>>
>>>I've tried mapping requests to that dir to the default servlet in
>>>web.xml, but 404 errors are returned (why??), and some other wierd things
>>>like using an intermediate servlet that forwards to the default servlet
>>>through its named request dispatcher (the forward method does not seem to
>>>do anything when using the dault servlet, while any other seems to work)
>>>or setting up a separate context for that dir and forward requests to the
>>>context, which maps *.jsp to the default context (I'll skip the details),
>>>but I can't find the solution...
>>>
>>>What astonishes me more is that forwarding or mapping to the default
>>>servlet does not work, but anyway I must be doing something wrong...
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 
> --
> Ben Souther
> F.W. Davison & Company, Inc.
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 

-- 
Mark Diggory
Software Developer
Harvard MIT Data Center
http://osprey.hmdc.harvard.edu

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Disabling JSP execution under certain dirs

Posted by Albert Moliner <am...@evintia.com>.

Finally I'll add the restriction on publication, but anyway it would nice to
know whether there's a solution to prevent the JSP from being served (yes,
retrieving an error message or just returning the JSP contents without executing
the class would be alright), at least for the sake of knowing.

The only problem with your alternative is that the mapping is not valid: Perhaps
Tomcat accepts it (I don't think so, as manymonths ago I tried similar mappings
and did not succeed), but anyway the servlet specs only regard four types of
mapping:
- exact path,
- directory ("/foo/bar/*"),
- extension ("*.jsp"),
- default("/").
I don't know why (performance?), but there's no place for things like
"/whatever/*.ext".

About Tim's answer, there are some things that I don't see clear, basically
dealing with the default servlet. The default servlet is after all a servlet, so
it ought to be "forwardable" (something to do with having it defined in the
general web.xml and the forwarder servlet in the app's?). Anyway, the security
constraint seems the best approach. I'll look up the security documentation.

Thank you very much (though alternatives are still welcome, as I said before).

Albert.


----- Original Message -----
From: "Ben Souther" <bs...@fwdco.com>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Friday, December 12, 2003 3:36 PM
Subject: Re: Disabling JSP execution under certain dirs


It sounds like Albert wants certain (static) files to be viewable.
He just doesn't want anyone to be able to execute JSPs from this directory.

One thing you could try is a servlet mapping that sends all requests ending in
that directory that end with .jsp to a servlet that sends back a message
("FORBIDDEN FILE").

  <servlet-mapping>
    <servlet-name>ForbiddenFileServlet</servlet-name>
    <url-pattern>/DIRECTORY_NAME/*.jsp</url-pattern>
  </servlet-mapping>

-Ben

On Friday 12 December 2003 09:10 am, Tim Funk wrote:
> Ideally, files you don't want to be seen should be placed in WEB-INF.
>
> An alternative is to use a security constraint on the directory that has
> all of the content. This can be done in apache too via the <Location>
> directive.
>
> Another way is to place all those JSP's with a different extension and then
> add the mapping to web.xml. Then add the security contraint for that file
> extension. (Or let apache disallow that file extension)
>
> Forwarding to the default servelt WILL provide a 404 because it is a 404.
> The default servlet gets any request not assigned to any other servlet. So
> if the default servlet find the resource, it returns a 404.
>
> -Tim
>
> Albert Moliner wrote:
> > Hello.
> >
> > I've searched the archives on this subject, but the nearest I've reached
> > has been some posts about not serving static content. It's a bit of a
> > surprise that no one has asked this before, so sorry if it is a recurrent
> > question.
> >
> > I want Tomcat (4) to execute JSPs as usual, but prevent it from running
> > the files that are under a certain directory for security reasons. These
> > files can be published by external people and are supposed to be static,
> > but if some mischievous publisher posts a JSP and it is executed then
> > there can be havoc.
> >
> > Apart from preventing the publishing of files with that extension, is
> > there a possible configuration that can be set up?
> >
> > I've tried mapping requests to that dir to the default servlet in
> > web.xml, but 404 errors are returned (why??), and some other wierd things
> > like using an intermediate servlet that forwards to the default servlet
> > through its named request dispatcher (the forward method does not seem to
> > do anything when using the dault servlet, while any other seems to work)
> > or setting up a separate context for that dir and forward requests to the
> > context, which maps *.jsp to the default context (I'll skip the details),
> > but I can't find the solution...
> >
> > What astonishes me more is that forwarding or mapping to the default
> > servlet does not work, but anyway I must be doing something wrong...
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

--
Ben Souther
F.W. Davison & Company, Inc.



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Disabling JSP execution under certain dirs

Posted by Ben Souther <bs...@fwdco.com>.

It sounds like Albert wants certain (static) files to be viewable.
He just doesn't want anyone to be able to execute JSPs from this directory.

One thing you could try is a servlet mapping that sends all requests ending in 
that directory that end with .jsp to a servlet that sends back a message 
("FORBIDDEN FILE").

  <servlet-mapping>
    <servlet-name>ForbiddenFileServlet</servlet-name>
    <url-pattern>/DIRECTORY_NAME/*.jsp</url-pattern>
  </servlet-mapping>

-Ben

On Friday 12 December 2003 09:10 am, Tim Funk wrote:
> Ideally, files you don't want to be seen should be placed in WEB-INF.
>
> An alternative is to use a security constraint on the directory that has
> all of the content. This can be done in apache too via the <Location>
> directive.
>
> Another way is to place all those JSP's with a different extension and then
> add the mapping to web.xml. Then add the security contraint for that file
> extension. (Or let apache disallow that file extension)
>
> Forwarding to the default servelt WILL provide a 404 because it is a 404.
> The default servlet gets any request not assigned to any other servlet. So
> if the default servlet find the resource, it returns a 404.
>
> -Tim
>
> Albert Moliner wrote:
> > Hello.
> >
> > I've searched the archives on this subject, but the nearest I've reached
> > has been some posts about not serving static content. It's a bit of a
> > surprise that no one has asked this before, so sorry if it is a recurrent
> > question.
> >
> > I want Tomcat (4) to execute JSPs as usual, but prevent it from running
> > the files that are under a certain directory for security reasons. These
> > files can be published by external people and are supposed to be static,
> > but if some mischievous publisher posts a JSP and it is executed then
> > there can be havoc.
> >
> > Apart from preventing the publishing of files with that extension, is
> > there a possible configuration that can be set up?
> >
> > I've tried mapping requests to that dir to the default servlet in
> > web.xml, but 404 errors are returned (why??), and some other wierd things
> > like using an intermediate servlet that forwards to the default servlet
> > through its named request dispatcher (the forward method does not seem to
> > do anything when using the dault servlet, while any other seems to work)
> > or setting up a separate context for that dir and forward requests to the
> > context, which maps *.jsp to the default context (I'll skip the details),
> > but I can't find the solution...
> >
> > What astonishes me more is that forwarding or mapping to the default
> > servlet does not work, but anyway I must be doing something wrong...
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

-- 
Ben Souther
F.W. Davison & Company, Inc.



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Disabling JSP execution under certain dirs

Posted by Tim Funk <fu...@joedog.org>.

Ideally, files you don't want to be seen should be placed in WEB-INF.

An alternative is to use a security constraint on the directory that has all 
of the content. This can be done in apache too via the <Location> directive.

Another way is to place all those JSP's with a different extension and then 
add the mapping to web.xml. Then add the security contraint for that file 
extension. (Or let apache disallow that file extension)

Forwarding to the default servelt WILL provide a 404 because it is a 404. The 
default servlet gets any request not assigned to any other servlet. So if the 
default servlet find the resource, it returns a 404.

-Tim

Albert Moliner wrote:

> Hello.
> 
> I've searched the archives on this subject, but the nearest I've reached has
> been some posts about not serving static content. It's a bit of a surprise that
> no one has asked this before, so sorry if it is a recurrent question.
> 
> I want Tomcat (4) to execute JSPs as usual, but prevent it from running the
> files that are under a certain directory for security reasons. These files can
> be published by external people and are supposed to be static, but if some
> mischievous publisher posts a JSP and it is executed then there can be havoc.
> 
> Apart from preventing the publishing of files with that extension, is there a
> possible configuration that can be set up?
> 
> I've tried mapping requests to that dir to the default servlet in web.xml, but
> 404 errors are returned (why??), and some other wierd things like using an
> intermediate servlet that forwards to the default servlet through its named
> request dispatcher (the forward method does not seem to do anything when using
> the dault servlet, while any other seems to work) or setting up a separate
> context for that dir and forward requests to the context, which maps *.jsp to
> the default context (I'll skip the details), but I can't find the solution...
> 
> What astonishes me more is that forwarding or mapping to the default servlet
> does not work, but anyway I must be doing something wrong...



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org