Eclipse Community Forums: Equinox » Hide filter access to WEB-INF

Help

Home

Home » Eclipse Projects » Equinox » Hide filter access to WEB-INF

Show: Today's Messages :: Show Polls :: Message Navigator

Hide filter access to WEB-INF [message #119511]

Tue, 14 October 2008 02:41

Ignacio M

Messages: 20
Registered: July 2009

Junior Member

Hi, Im working on a web-application using Eclipse-Equinox server side, I
have integrated myFaces to it. I need the WEB-INF/web.xml file to set some
configurations for myFaces, but I dont want that the users have access to
this resource.

My web resources are under the /web directory, so I have /web/WEB-INF

JspServlet _jspServlet = new JspServlet(context.getBundle(), "/web");

Is there a way to hide to the browser the WEB-INF resource, and any files
or sub directories inside it?

Thanks.

Report message to a moderator

Re: Hide filter access to WEB-INF [message #119542 is a reply to message #119511]

Tue, 14 October 2008 03:18

Simon Kaegi

Messages: 381
Registered: July 2009

Senior Member

The JSPServlet has built in code to filter out request to WEB-INF. Do you
have a situation where this isn't working?
Looking at the code the match is not case insensitive so perhaps there is a
bug lurking here. Please let me know here.

Anyway... probably the easiest way is to register the JSPServlet with an
extension alias e.g. something like "/*.jsp" or "/web/*.jsp". I should add
that the current OSGi HTTP Service spec does not provide support for
extension aliases so this is specific to the equinox http service
implementations (both servletbridge and jetty-based implementations).

Another possibility is to register a special 404Servlet at WEB-INF although
again it's important to be careful about case sensitivity issues.

HTH
-Simon

"Ignacio M" <nmorenor@gmail.com> wrote in message
news:5ff6ceca6c0f8833c24207229a20a05e$1@www.eclipse.org...
> Hi, Im working on a web-application using Eclipse-Equinox server side, I
> have integrated myFaces to it. I need the WEB-INF/web.xml file to set some
> configurations for myFaces, but I dont want that the users have access to
> this resource.
>
> My web resources are under the /web directory, so I have /web/WEB-INF
>
> JspServlet _jspServlet = new JspServlet(context.getBundle(), "/web");
>
> Is there a way to hide to the browser the WEB-INF resource, and any files
> or sub directories inside it?
>
> Thanks.
>

Report message to a moderator

Re: Hide filter access to WEB-INF [message #119931 is a reply to message #119542]

Wed, 22 October 2008 00:59

Ignacio M

Messages: 20
Registered: July 2009

Junior Member

Im checking this, like I say Im using apache myFaces Servlet, but Im using
the ClassLoader from your JspServlet. I have made a CtxListenerAdaptor
that extends from HttpServlet, then Im adding this to the service method...

public void service(HttpServletRequest req, HttpServletResponse resp)
				throws ServletException, IOException {
			String pathInfo = req.getPathInfo();
			System.out.println(pathInfo);
			if (pathInfo != null && pathInfo.contains("/WEB-INF/")) { //$NON-NLS-1$
				resp.sendError(HttpServletResponse.SC_NOT_FOUND);
				return;
			}
			ClassLoader original = Thread.currentThread()
					.getContextClassLoader();
			try {
				Thread.currentThread().setContextClassLoader(jspLoader);
				delegate.service(req, resp);
			} finally {
				Thread.currentThread().setContextClassLoader(original);
			}
		}

but when I call the getPathInfo I get a null value this class is called to
get this info
org.eclipse.equinox.http.servlet.internal.HttpServletRequest Adaptor is
there a fix for this issue. Or we need to search a workaround for this.

Thanks

Report message to a moderator

Re: Hide filter access to WEB-INF [message #119942 is a reply to message #119931]

Wed, 22 October 2008 01:14

Ignacio M

Messages: 20
Registered: July 2009

Junior Member

But there is a catch, when I do a request to
http://localhost:8080/jsf/WEB-INF/web.xml this service method is not
called...

Thanks
Ignacio M

Report message to a moderator

Re: Hide filter access to WEB-INF [message #119954 is a reply to message #119942]

Wed, 22 October 2008 01:31

Ignacio M

Messages: 20
Registered: July 2009

Junior Member

I think that path info is working as expected, because Im registering the
servlets with this.

_http.registerServlet("/jsf/*.jsf", _servlet, initparams,_context);

so the /WEB-INF/web.xml does not match with this alias. I need to think in
another way...

Report message to a moderator

Re: Hide filter access to WEB-INF [message #120030 is a reply to message #119542]

Thu, 23 October 2008 00:31

Ignacio M

Messages: 20
Registered: July 2009

Junior Member

What do you think if we modify this class
org.eclipse.equinox.http.jetty.internal.HttpServerManager$In ternalHttpServiceServlet

Making it extend from HttpServlet instead implemet Servlet from her self,
and add this lines...

public void service(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
String pathInfo = req.getPathInfo();
System.out.println(pathInfo);
if (pathInfo != null && pathInfo.contains("/WEB-INF/")) { //$NON-NLS-1$
resp.sendError(HttpServletResponse.SC_NOT_FOUND);
return;
}

do you think that it will cause a performance problem or anything else? I
test this change and it is working Im not able to view nothing inside a
WEB-INF direcotry...

Report message to a moderator

Re: Hide filter access to WEB-INF [message #120058 is a reply to message #120030]

Thu, 23 October 2008 01:46

Simon Kaegi

Messages: 381
Registered: July 2009

Senior Member

Ignacio,

I would not want to make a special rule like this since the OSGi Http
Service makes no special provision for a WEB-INF path.
Here are a couple of alternatives I'd suggest:
1) For your "resource" registration use a custom HttpContext that filters
out the WEB-INF folder.
2) Use a custom ResourceServlet and filter out WEB-INF like you've shown.
3) Package your resources in a separate folder hierarchy from your JSF/JSP
components that need a WEB-INF folder.

Are any of those workable?
-Simon

"Ignacio M" <nmorenor@gmail.com> wrote in message
news:8016f7001f44be975eb327715bb339f5$1@www.eclipse.org...
> What do you think if we modify this class
> org.eclipse.equinox.http.jetty.internal.HttpServerManager$In ternalHttpServiceServlet
>
> Making it extend from HttpServlet instead implemet Servlet from her self,
> and add this lines...
>
> public void service(HttpServletRequest req, HttpServletResponse resp)
> throws ServletException, IOException {
> String pathInfo = req.getPathInfo();
> System.out.println(pathInfo);
> if (pathInfo != null && pathInfo.contains("/WEB-INF/")) { //$NON-NLS-1$
> resp.sendError(HttpServletResponse.SC_NOT_FOUND);
> return;
> }
>
> do you think that it will cause a performance problem or anything else? I
> test this change and it is working Im not able to view nothing inside a
> WEB-INF direcotry...
>

Report message to a moderator

Re: Hide filter access to WEB-INF [message #120131 is a reply to message #120058]

Fri, 24 October 2008 02:11

Ignacio M

Messages: 20
Registered: July 2009

Junior Member

The HttpContext implementation sounds good... Thanks, with this
implementation can we filter any other directory on my web app, based on
javax.security.auth.Subject?? This could be rely good... Today I was
looking to this plugin org.eclipse.equinox.examples.httpsecurity, I think
that is a good base to implement this new HttpContext. Ill try that and
probably I will post more questions thoughts on this later...

many Thanks
Ignacio.

Report message to a moderator

Previous Topic:	Running multiple instances of servletbridge in a tomcat instance
Next Topic:	Re: Problem integrating equinox transforms (xslt)

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Wed Jul 17 19:32:09 GMT 2024

.:: Contact :: Home ::.

Breadcrumbs

Sign up to our Newsletter