Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [osgi-users] Best practice to hide class files and other confidential resources from servlet projects

Hi Matti,

in Vaadin you use the HttpWhiteboard Specification:

https://docs.osgi.org/specification/osgi.cmpn/7.0.0/service.http.whiteboard.html

In your link you refer to a WAB, a web application bundle.

The Problem you describe seems to be related with the VaadinServlet. It obviously allows the access to resources in the jar.

If you e.g. register a Servlet like this under the same context, you will not experience the issue.

public class ExampleServlet extends HttpServlet {

    private static final long serialVersionUID = 1L;
   
    @Override
    public void init() throws ServletException {
    }

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        resp.setContentType("text/html");
        PrintWriter writer = resp.getWriter();
        writer.format("<h1>Hello World!</h1>");
        writer.format("<p>I am Servlet</p>");
    }

}

In your base-setarter-vaadin-flow example, you register the Servlet in an OSGi component like this:

@Component(immediate = true)
public class Example {
   
    private ServiceRegistration<Servlet> servletRegistration;

    @Activate
    public void activate(BundleContext ctx) {
        Dictionary<String, Object> properties = new Hashtable<String, Object>();
        properties.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_SERVLET_ASYNC_SUPPORTED, true);
        properties.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_SERVLET_PATTERN, "/*");
        servletRegistration = ctx.registerService(Servlet.class, new ExampleServlet(), properties);
    }
   
    @Deactivate
    public void deactivate() {
        if(servletRegistration != null) {
            servletRegistration.unregister();
        }
    }

}

If you launch the application and try the class file URL, nothing will happen.

I reproduced the problem you described with the VaadinServlet and used a Servlet Filter to reject the request for certains URL's (in that case everything that starts with /org):

@Component(scope = ServiceScope.PROTOTYPE)
@HttpWhiteboardFilterPattern("/*")
public class ExampleFilter implements Filter {

    private String[] pathToBeIgnored = new String[]{"/org"};

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        String path = ((HttpServletRequest) request).getRequestURI();
        if (!path.startsWith(ignore)) {
           chain.doFilter(request, response); // Just continue chain.
        } else {
           HttpServletResponse r = (HttpServletResponse)response;
           r.sendError(404);
        }
    }

    @Override
    public void destroy() {
        // TODO Auto-generated method stub

    }

}

I hope this helps.

Regards,

Mark


-- 
Mark Hoffmann
M.A. Dipl.-Betriebswirt (FH)
Geschäftsführer

Tel:    +49 3641 384 910 0
Mobil:  +49 175 701 2201  
E-Mail: m.hoffmann@xxxxxxxxxxxxxxxxxx
Web: www.datainmotion.de 

Data In Motion Consulting GmbH
Kahlaische Straße 4
07745 Jena

Geschäftsführer
Mark Hoffmann
Jürgen Albert

Jena HRB 513025
Steuernummer 162/107/05779
USt-Id DE310002614

Back to the top