You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2019/10/10 09:20:05 UTC
[Bug 63828] New: Allow WebdavServlet to serve only a subset of a
WebResourceRoot
https://bz.apache.org/bugzilla/show_bug.cgi?id=63828
Bug ID: 63828
Summary: Allow WebdavServlet to serve only a subset of a
WebResourceRoot
Product: Tomcat 8
Version: 8.5.x-trunk
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: michaelo@apache.org
Target Milestone: ----
Based on a discussion here:
https://www.mail-archive.com/dev@tomcat.apache.org/msg136984.html
Consider the following in context.xml:
> <Resources>
> <PostResources base="D:\diprogs\share\diforms\static"
> className="org.apache.catalina.webresources.DirResourceSet"
> webAppMount="/WEB-INF/diforms" />
> <PostResources base="D:\diprogs\share\diforms\generated"
> className="org.apache.catalina.webresources.DirResourceSet"
> webAppMount="/WEB-INF/diforms" />
> </Resources>
I want the WebdavServlet to servet /WEB-INF/diforms either as /diforms or a 1:1
mapping /diforms to /diforms. No other resource subsest shall be available via
WebDAV. I expect to register a separate WebdavServlet in the web.xml which
mounts to /diforms and limits WebResourceRoot to /diforms only.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 63828] Allow WebdavServlet to serve only a subset of a
WebResourceRoot
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63828
--- Comment #2 from Michael Osipov <mi...@apache.org> ---
(In reply to Remy Maucherat from comment #1)
> This was never done since it's not the design philosophy of the thing (it
> extends the default servlet, it's supposed to work that way as well), and I
> believe whatever use cases are already covered. Sure, infinite flexibility
> is always better :)
>
> In your example, I think you can create a webapp that maps to
> D:\diprogs\share\diforms\static (or the other path, I don't really
> understand the exmaple) and then secure it properly. Since you can also nest
> webapp paths, this gives a lot of possibilities.
While I can do that, this causes problems with stateful applications where a
security filter must access session objects to peform decisions. Not to mention
the maintenance overhead for a second webapp.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 63828] Allow WebdavServlet to serve only a subset of a
WebResourceRoot
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63828
--- Comment #4 from Michael Osipov <mi...@apache.org> ---
(In reply to Mark Thomas from comment #3)
> The way the WebDAV servlet is implemented, it just isn't designed to serve
> arbitrary locations within the web app at arbitrary paths. Refactoring that
> would be a lot of work.
>
> Taking the use case here you want /WEB-INF/diforms to be accessible via
> WebDAV at /diforms (and any similar example) then I would suggest the
> following approach:
>
> Use security constraints to limit WebDAV methods to the target URL:
>
> <security-constraint>
> <display-name>Block WebDAV</display-name>
> <web-resource-collection>
> <web-resource-name>All</web-resource-name>
> <url-pattern>/*</url-pattern>
> <http-method-omission>GET</http-method-omission>
> <http-method-omission>POST</http-method-omission>
> <http-method-omission>OPTIONS</http-method-omission>
> </web-resource-collection>
> <auth-constraint />
> </security-constraint>
>
> <security-constraint>
> <display-name>Allow WebDAV</display-name>
> <web-resource-collection>
> <web-resource-name>Diforms</web-resource-name>
> <url-pattern>/diforms/*</url-pattern>
> </web-resource-collection>
> </security-constraint>
>
>
>
> Use Resources to map the required resources to the desired target URL:
>
> <Context>
> <Resources>
> <PreResources
> className="org.apache.catalina.webresources.DirResourceSet"
> base="${catalina.base}/webapps/ROOT/WEB-INF/diforms"
> webAppMount="/diforms" />
> </Resources>
> </Context>
>
>
> I am resolving this as WORKSFORME on the basis that I believe the
> configuration approach above solves the general problem. If not, the users@
> list is probably the best place to continue the discussion as it is likely
> that a configuration solution will exists even if the one above is
> insufficient.
I accept this as one possible workaround, but don't see have the WebDAV servlet
will serve this path only. It simply can. It will also serve the entire
context. But it is good that you documented that the servlet has never been
designed for that.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 63828] Allow WebdavServlet to serve only a subset of a
WebResourceRoot
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63828
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |WORKSFORME
--- Comment #3 from Mark Thomas <ma...@apache.org> ---
The way the WebDAV servlet is implemented, it just isn't designed to serve
arbitrary locations within the web app at arbitrary paths. Refactoring that
would be a lot of work.
Taking the use case here you want /WEB-INF/diforms to be accessible via WebDAV
at /diforms (and any similar example) then I would suggest the following
approach:
Use security constraints to limit WebDAV methods to the target URL:
<security-constraint>
<display-name>Block WebDAV</display-name>
<web-resource-collection>
<web-resource-name>All</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method-omission>GET</http-method-omission>
<http-method-omission>POST</http-method-omission>
<http-method-omission>OPTIONS</http-method-omission>
</web-resource-collection>
<auth-constraint />
</security-constraint>
<security-constraint>
<display-name>Allow WebDAV</display-name>
<web-resource-collection>
<web-resource-name>Diforms</web-resource-name>
<url-pattern>/diforms/*</url-pattern>
</web-resource-collection>
</security-constraint>
Use Resources to map the required resources to the desired target URL:
<Context>
<Resources>
<PreResources
className="org.apache.catalina.webresources.DirResourceSet"
base="${catalina.base}/webapps/ROOT/WEB-INF/diforms"
webAppMount="/diforms" />
</Resources>
</Context>
I am resolving this as WORKSFORME on the basis that I believe the configuration
approach above solves the general problem. If not, the users@ list is probably
the best place to continue the discussion as it is likely that a configuration
solution will exists even if the one above is insufficient.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 63828] Allow WebdavServlet to serve only a subset of a
WebResourceRoot
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63828
--- Comment #1 from Remy Maucherat <re...@apache.org> ---
This was never done since it's not the design philosophy of the thing (it
extends the default servlet, it's supposed to work that way as well), and I
believe whatever use cases are already covered. Sure, infinite flexibility is
always better :)
In your example, I think you can create a webapp that maps to
D:\diprogs\share\diforms\static (or the other path, I don't really understand
the exmaple) and then secure it properly. Since you can also nest webapp paths,
this gives a lot of possibilities.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 63828] Allow WebdavServlet to serve only a subset of a
WebResourceRoot
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63828
Michael Osipov <mi...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |michaelo@apache.org
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org