[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [osgi-users] Best practice to hide class files and other confidential resources from servlet projects
|
Hi Matti,
in Vaadin you use the HttpWhiteboard Specification:
https://docs.osgi.org/specification/osgi.cmpn/7.0.0/service.http.whiteboard.html
In your link you refer to a WAB, a web application bundle.
The Problem you describe seems to be related with the
VaadinServlet. It obviously allows the access to resources in the
jar.
If you e.g. register a Servlet like this under the same context,
you will not experience the issue.
public class
ExampleServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
@Override
public void init() throws ServletException {
}
@Override
protected void doGet(HttpServletRequest req,
HttpServletResponse resp) throws ServletException, IOException {
resp.setContentType("text/html");
PrintWriter writer = resp.getWriter();
writer.format("<h1>Hello World!</h1>");
writer.format("<p>I am Servlet</p>");
}
}
In your base-setarter-vaadin-flow example, you register the
Servlet in an OSGi component like this:
@Component(immediate = true)
public class Example {
private ServiceRegistration<Servlet>
servletRegistration;
@Activate
public void activate(BundleContext ctx) {
Dictionary<String, Object> properties = new
Hashtable<String, Object>();
properties.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_SERVLET_ASYNC_SUPPORTED,
true);
properties.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_SERVLET_PATTERN,
"/*");
servletRegistration = ctx.registerService(Servlet.class,
new ExampleServlet(), properties);
}
@Deactivate
public void deactivate() {
if(servletRegistration != null) {
servletRegistration.unregister();
}
}
}
If you launch the application and try the class file URL, nothing
will happen.
I reproduced the problem you described with the VaadinServlet and
used a Servlet Filter to reject the request for certains URL's (in
that case everything that starts with /org):
@Component(scope = ServiceScope.PROTOTYPE)
@HttpWhiteboardFilterPattern("/*")
public class ExampleFilter implements Filter {
private String[] pathToBeIgnored = new String[]{"/org"};
@Override
public void init(FilterConfig filterConfig) throws
ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse
response, FilterChain chain)
throws IOException, ServletException {
String path = ((HttpServletRequest)
request).getRequestURI();
if (!path.startsWith(ignore)) {
chain.doFilter(request, response); // Just continue
chain.
} else {
HttpServletResponse r =
(HttpServletResponse)response;
r.sendError(404);
}
}
@Override
public void destroy() {
// TODO Auto-generated method stub
}
}
I hope this helps.
Regards,
Mark
--
Mark Hoffmann
M.A. Dipl.-Betriebswirt (FH)
Geschäftsführer
Tel: +49 3641 384 910 0
Mobil: +49 175 701 2201
E-Mail: m.hoffmann@xxxxxxxxxxxxxxxxxx
Web: www.datainmotion.de
Data In Motion Consulting GmbH
Kahlaische Straße 4
07745 Jena
Geschäftsführer
Mark Hoffmann
Jürgen Albert
Jena HRB 513025
Steuernummer 162/107/05779
USt-Id DE310002614