| [osgi-users] Best practice to hide class files and other confidential resources from servlet projects |
| Hi, We have been working on a renewed OSGi integration and I noticed a nasty “feature” in our examples: When http whiteboard has registered a servlet, all class files and resource files from that bundle are accessible from the root context. I find this a potential security issue and would like to get them hidden by default. This can be verified by both of our examples (https://github.com/vaadin/base-starter-flow-karaf, https://github.com/vaadin/base-starter-flow-osgi) and also using official Karaf examples. For example, if you deploy karaf-servlet-example-registration (https://github.com/apache/karaf/tree/master/examples/karaf-servlet-example) to Karaf, you can download Activator.class from http://localhost:8181/org/apache/karaf/examples/servlet/registration/Activator.class The specification kind of hints one should put class files to WEB-INF/classes. But I can’t find any good examples where a project would be configured to work like that, and as even Karaf examples are not using that kind of pattern, so it makes me wonder if “I’m holding it wrong”. So my main question is, what is the best practice to package servlets so that all implementation details are not exposed to the world? Our examples use Maven and bndtools. __ Matti Tahvonen– Vaadin Ltd - vaadin.com |