[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [osgi-users] Best practice to hide class files and other confidential resources from servlet projects
|
Hi Matti,
A WAB is a Bundle, that is shaped like a WAR, having
WEB-INF/classes, WEB-INF/lib, web.xml AND in addition to that a
OSGi Manifest. Implementations, like Jetty, that support the OSGi
WAB Specification, can deploy these Web-Application-Bundles
directly from your runtime. An WAB is acting like a WAR.
Compared to that the HTTPWhiteboard allows to register Servlets,
Filters, Resources as OSGi service. the whiteboard implementation
gathers all these services and registers them to the servlet
container. T Specification describes it like this: "... the OSGi
Http Whiteboard Specification provides a light and convenient way
of using servlets, servlet filters, servlet listeners and web
resources in an OSGi environment through the use of the [7] Whiteboard Pattern."
I cannot confirm that behavior when removing all Vaadin
dependencies.
Using that shape:
org/gecko/example/
Example.java
ExampleServlet.java
When I register the Servlet in the Example component like this:
Dictionary<String, Object> properties = new
Hashtable<String, Object>();
properties.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_SERVLET_ASYNC_SUPPORTED,
true);
properties.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_SERVLET_PATTERN,
"/test/*");
servletRegistration = ctx.registerService(Servlet.class,
new ExampleServlet(), properties);
I get this:
http://localhost:8080/test/org/gecko/servlet/Example.class
- 200 - Content of the ExampleServlet
http://localhost:8080/test/org/gecko/servlet/ExampleServlet.class
- 200 - Content of the ExampleServlet
I can never download the class file. The same happens when I
register the Servlet under /*.
The bnd for the servlet project:
Bundle-Version: 1.0.0.${tstamp}
-buildpath: \
osgi.annotation;version='7.0.0',\
osgi.core;version='7.0.0',\
osgi.cmpn;version='7.0.0',\
org.apache.felix.http.servlet-api;version='1.1'
javac.source: 11
javac.target: 11
I run everything with the
following bundles:
-runfw:
org.apache.felix.framework;version='[6.0.3,6.0.4]'
-runee: JavaSE-11
-runprovidedcapabilities: ${native_capability}
-resolve.effective: active
-runproperties: \
osgi.console=,\
osgi.console.enable.builtin=false
-runbundles: \
org.apache.felix.gogo.command;version='[1.0.2,1.0.3)',\
org.apache.felix.gogo.runtime;version='[1.0.10,1.0.11)',\
org.apache.felix.gogo.shell;version='[1.0.0,1.0.1)',\
org.apache.felix.http.jetty;version='[4.1.4,4.1.5)',\
org.apache.felix.http.servlet-api;version='[1.1.2,1.1.3)',\
org.apache.felix.http.whiteboard;version='[4.0.0,4.0.1)',\
org.apache.felix.scr;version='[2.1.24,2.1.25)',\
org.gecko.servlet;version=snapshot,\
org.osgi.util.function;version='[1.1.0,1.1.1)',\
org.osgi.util.promise;version='[1.1.0,1.1.1)'
-runrequires: \
osgi.identity;filter:='(osgi.identity=org.apache.felix.gogo.shell)',\
osgi.identity;filter:='(osgi.identity=org.apache.felix.gogo.command)',\
bnd.identity;id='org.gecko.servlet',\
bnd.identity;version='4.0.0';id='org.apache.felix.http.whiteboard'
Maybe there is a registered static Resource that serves that
content, as Stefan mentioned?
https://docs.osgi.org/specification/osgi.cmpn/7.0.0/service.http.whiteboard.html#d0e121459.
You could achieve your described behavior with this:
@Component(service =
IndexResource.class)
@HttpWhiteboardResource(pattern = "/*", prefix = "/")
public class IndexResource {
}
And are you sure, that the download results are not from the
Browser cache, if you use the same URL?
Regards,
Mark
Am 04.03.21 um 22:19 schrieb Matti Tahvonen:
Thanks Mark and Stefan,
It might be indeed that the bundle in our example is
not technically WAB, I’m still bit fuzzed about the terminology.
I’m still not 100% confident thought that the issue is in
VaadinServlet.
The same in the official Karaf example that is not
mapped to root either. So to me it looks like it is the
“default servlet” that kicks in and somehow serves everything
from that bundle that registered the (most recent 🤔) servlet.
My colleague also suggested to have some servlet
filter as a workaround, but that sounds like a bad hack to me.
__
Matti Tahvonen – +358 44 3029728 –
Vaadin Ltd -
vaadin.com
Hi Matti,
in Vaadin you use the HttpWhiteboard
Specification:
https://docs.osgi.org/specification/osgi.cmpn/7.0.0/service.http.whiteboard.html
In your link you refer to a WAB, a web
application bundle.
The Problem you describe seems to be
related with the VaadinServlet. It obviously allows
the access to resources in the jar.
If you e.g. register a Servlet like this
under the same context, you will not experience the
issue.
public class ExampleServlet extends
HttpServlet {
private static final long serialVersionUID =
1L;
@Override
public void init() throws ServletException {
}
@Override
protected void doGet(HttpServletRequest req,
HttpServletResponse resp) throws ServletException,
IOException {
resp.setContentType("text/html");
PrintWriter writer = resp.getWriter();
writer.format("<h1>Hello
World!</h1>");
writer.format("<p>I am
Servlet</p>");
}
}
In your base-setarter-vaadin-flow example,
you register the Servlet in an OSGi component like
this:
@Component(immediate
= true)
public class Example {
private ServiceRegistration<Servlet>
servletRegistration;
@Activate
public void activate(BundleContext ctx) {
Dictionary<String, Object>
properties = new Hashtable<String,
Object>();
properties.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_SERVLET_ASYNC_SUPPORTED,
true);
properties.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_SERVLET_PATTERN,
"/*");
servletRegistration =
ctx.registerService(Servlet.class, new
ExampleServlet(), properties);
}
@Deactivate
public void deactivate() {
if(servletRegistration != null) {
servletRegistration.unregister();
}
}
}
If you launch the application and try the
class file URL, nothing will happen.
I reproduced the problem you described
with the VaadinServlet and used a Servlet Filter to
reject the request for certains URL's (in that case
everything that starts with /org):
@Component(scope
= ServiceScope.PROTOTYPE)
@HttpWhiteboardFilterPattern("/*")
public class ExampleFilter implements Filter {
private String[] pathToBeIgnored = new
String[]{"/org"};
@Override
public void init(FilterConfig filterConfig)
throws ServletException {
}
@Override
public void doFilter(ServletRequest request,
ServletResponse response, FilterChain chain)
throws IOException, ServletException {
String path = ((HttpServletRequest)
request).getRequestURI();
if (!path.startsWith(ignore)) {
chain.doFilter(request, response); //
Just continue chain.
} else {
HttpServletResponse r =
(HttpServletResponse)response;
r.sendError(404);
}
}
@Override
public void destroy() {
// TODO Auto-generated method stub
}
}
I hope this helps.
Regards,
Mark
--
Mark Hoffmann
M.A. Dipl.-Betriebswirt (FH)
Geschäftsführer
Tel: +49 3641 384 910 0
Mobil: +49 175 701 2201
E-Mail: m.hoffmann@xxxxxxxxxxxxxxxxxx
Web: www.datainmotion.de
Data In Motion Consulting GmbH
Kahlaische Straße 4
07745 Jena
Geschäftsführer
Mark Hoffmann
Jürgen Albert
Jena HRB 513025
Steuernummer 162/107/05779
USt-Id DE310002614
_______________________________________________
osgi-users mailing list
osgi-users@xxxxxxxxxxx
To change your delivery options, retrieve your password,
or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/osgi-users
_______________________________________________
osgi-users mailing list
osgi-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/osgi-users
--
Mark Hoffmann
M.A. Dipl.-Betriebswirt (FH)
Geschäftsführer
Tel: +49 3641 384 910 0
Mobil: +49 175 701 2201
E-Mail: m.hoffmann@xxxxxxxxxxxxxxxxxx
Web: www.datainmotion.de
Data In Motion Consulting GmbH
Kahlaische Straße 4
07745 Jena
Geschäftsführer
Mark Hoffmann
Jürgen Albert
Jena HRB 513025
Steuernummer 162/107/05779
USt-Id DE310002614