[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [osgi-users] Best practice to hide class files and other confidential resources from servlet projects
|
Hello Matti,
as far as i know you are registering a VaadinServlet.
@Component(service = Servlet.class)
@HttpWhiteboardServletPattern("/*")
public class FixedVaadinServlet extends VaadinServlet {
@Override
protected void servletInitialized() throws ServletException {
getService().setClassLoader(getClass().getClassLoader());
}
}
Are you really sure that the VaadinServlet / StaticFileHandler is not the one that gives access to the classes?
https://github.com/vaadin/flow/blob/2.5/flow-server/src/main/java/com/vaadin/flow/server/VaadinServlet.java#L80-L82
The Link to the spec you send is not about normal "http whiteboard" it is about Web Applications Specification
https://docs.osgi.org/specification/osgi.cmpn/7.0.0/service.war.html#i3096883
regards
On 3/4/21 6:52 PM, Matti Tahvonen wrote:
Hi,
We have been working on a renewed OSGi integration
and I noticed a nasty “feature” in our examples: When http
whiteboard has registered a servlet, all class files and
resource files from that bundle are accessible from the root
context. I find this a potential security issue and would like
to get them hidden by default. This can be verified by both of
our examples (
https://github.com/vaadin/base-starter-flow-karaf,
https://github.com/vaadin/base-starter-flow-osgi) and
also using official Karaf examples.
The
specification kind of
hints one should put class files to WEB-INF/classes. But I can’t
find any good examples where a project would be configured to
work like that, and as even Karaf examples are not using that
kind of pattern, so it makes me wonder if “I’m holding it
wrong”. So my main question is, what is the best practice to
package servlets so that all implementation details are not
exposed to the world? Our examples use Maven and bndtools.
_______________________________________________
osgi-users mailing list
osgi-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/osgi-users