| Re: [osgi-users] Best practice to hide class files and other confidential resources from servlet projects |
Hi,
sorry, but I end up with that in my setup:
properties.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_SERVLET_ASYNC_SUPPORTED,
true);
properties.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_SERVLET_PATTERN,
"/*");
servletRegistration = ctx.registerService(Servlet.class, new
ExampleServlet(), properties);
GET
http://localhost:8080/org/gecko/servlet/Example.class
Response: 200
<h1>Hello
World!</h1><p>I am Servlet</p>
These are the result for a different Setup:
Dictionary<String,
Object> properties = new Hashtable<String, Object>();
properties.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_SERVLET_ASYNC_SUPPORTED,
true);
properties.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_SERVLET_PATTERN,
"/test/*");
servletRegistration = ctx.registerService(Servlet.class, new
ExampleServlet(), properties);
GET
http://localhost:8080/org/gecko/servlet/Example.class
response: 404
GET
http://localhost:8080/test/org/gecko/servlet/Example.class
Response: 200
<h1>Hello World!</h1><p>I am Servlet</p>
Sorry, I cannot reproduce it.
Regards,
Mark
Hi,
When you register to /test, still try to download the class file form the root context, in your test setup from http://localhost:8080/org/gecko/servlet/Example.class
I have recently played with Karaf (PAX Web), but I was able to reproduce that with our “simple starter” as well, which is using Felix Jetty. So I’d expect that to happen in your isolated case as well.
__Matti Tahvonen – +358 44 3029728 – Vaadin Ltd - vaadin.com
On 5. Mar 2021, at 08:07 , Mark Hoffmann <m.hoffmann@xxxxxxxxxxxxxxxxxx> wrote:
_______________________________________________Hi Matti,
A WAB is a Bundle, that is shaped like a WAR, having WEB-INF/classes, WEB-INF/lib, web.xml AND in addition to that a OSGi Manifest. Implementations, like Jetty, that support the OSGi WAB Specification, can deploy these Web-Application-Bundles directly from your runtime. An WAB is acting like a WAR.
Compared to that the HTTPWhiteboard allows to register Servlets, Filters, Resources as OSGi service. the whiteboard implementation gathers all these services and registers them to the servlet container. T Specification describes it like this: "... the OSGi Http Whiteboard Specification provides a light and convenient way of using servlets, servlet filters, servlet listeners and web resources in an OSGi environment through the use of the [7] Whiteboard Pattern."
I cannot confirm that behavior when removing all Vaadin dependencies.
Using that shape:
org/gecko/example/
Example.java
ExampleServlet.javaWhen I register the Servlet in the Example component like this:
Dictionary<String, Object> properties = new Hashtable<String, Object>();
properties.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_SERVLET_ASYNC_SUPPORTED, true);
properties.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_SERVLET_PATTERN, "/test/*");
servletRegistration = ctx.registerService(Servlet.class, new ExampleServlet(), properties);
I get this:
http://localhost:8080/test/org/gecko/servlet/Example.class - 200 - Content of the ExampleServlet
http://localhost:8080/test/org/gecko/servlet/ExampleServlet.class - 200 - Content of the ExampleServletI can never download the class file. The same happens when I register the Servlet under /*.
The bnd for the servlet project:
Bundle-Version: 1.0.0.${tstamp}
-buildpath: \
osgi.annotation;version='7.0.0',\
osgi.core;version='7.0.0',\
osgi.cmpn;version='7.0.0',\
org.apache.felix.http.servlet-api;version='1.1'
javac.source: 11
javac.target: 11
I run everything with the following bundles:
-runfw: org.apache.felix.framework;version='[6.0.3,6.0.4]'
-runee: JavaSE-11
-runprovidedcapabilities: ${native_capability}
-resolve.effective: active
-runproperties: \
osgi.console=,\
osgi.console.enable.builtin=false
-runbundles: \
org.apache.felix.gogo.command;version='[1.0.2,1.0.3)',\
org.apache.felix.gogo.runtime;version='[1.0.10,1.0.11)',\
org.apache.felix.gogo.shell;version='[1.0.0,1.0.1)',\
org.apache.felix.http.jetty;version='[4.1.4,4.1.5)',\
org.apache.felix.http.servlet-api;version='[1.1.2,1.1.3)',\
org.apache.felix.http.whiteboard;version='[4.0.0,4.0.1)',\
org.apache.felix.scr;version='[2.1.24,2.1.25)',\
org.gecko.servlet;version=snapshot,\
org.osgi.util.function;version='[1.1.0,1.1.1)',\
org.osgi.util.promise;version='[1.1.0,1.1.1)'
-runrequires: \
osgi.identity;filter:='(osgi.identity=org.apache.felix.gogo.shell)',\
osgi.identity;filter:='(osgi.identity=org.apache.felix.gogo.command)',\
bnd.identity;id='org.gecko.servlet',\
bnd.identity;version='4.0.0';id='org.apache.felix.http.whiteboard'
Maybe there is a registered static Resource that serves that content, as Stefan mentioned?
https://docs.osgi.org/specification/osgi.cmpn/7.0.0/service.http.whiteboard.html#d0e121459.
You could achieve your described behavior with this:
@Component(service = IndexResource.class)
@HttpWhiteboardResource(pattern = "/*", prefix = "/")
public class IndexResource {
}And are you sure, that the download results are not from the Browser cache, if you use the same URL?
Regards,
Mark
Am 04.03.21 um 22:19 schrieb Matti Tahvonen:
Thanks Mark and Stefan,
It might be indeed that the bundle in our example is not technically WAB, I’m still bit fuzzed about the terminology. I’m still not 100% confident thought that the issue is in VaadinServlet.
The ExampleServlet that you showed grabs everything from the root context if registered to /*. But if I map that for example to /foo/* , the same thing happens. Even if I remove everything related to Vaadin from the project and then visit, http://localhost:8181/com/example/starter/base/osgi/ExampleServlet.class , I can download the actual class file.
The same in the official Karaf example that is not mapped to root either. So to me it looks like it is the “default servlet” that kicks in and somehow serves everything from that bundle that registered the (most recent 🤔) servlet.
My colleague also suggested to have some servlet filter as a workaround, but that sounds like a bad hack to me.
__Matti Tahvonen – +358 44 3029728 – Vaadin Ltd - vaadin.com
On 4. Mar 2021, at 22:17 , Mark Hoffmann <m.hoffmann@xxxxxxxxxxxxxxxxxx> wrote:
_______________________________________________Hi Matti,
in Vaadin you use the HttpWhiteboard Specification:
https://docs.osgi.org/specification/osgi.cmpn/7.0.0/service.http.whiteboard.html
In your link you refer to a WAB, a web application bundle.
The Problem you describe seems to be related with the VaadinServlet. It obviously allows the access to resources in the jar.
If you e.g. register a Servlet like this under the same context, you will not experience the issue.
public class ExampleServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
@Override
public void init() throws ServletException {
}
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
resp.setContentType("text/html");
PrintWriter writer = resp.getWriter();
writer.format("<h1>Hello World!</h1>");
writer.format("<p>I am Servlet</p>");
}
}In your base-setarter-vaadin-flow example, you register the Servlet in an OSGi component like this:
@Component(immediate = true)
public class Example {
private ServiceRegistration<Servlet> servletRegistration;
@Activate
public void activate(BundleContext ctx) {
Dictionary<String, Object> properties = new Hashtable<String, Object>();
properties.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_SERVLET_ASYNC_SUPPORTED, true);
properties.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_SERVLET_PATTERN, "/*");
servletRegistration = ctx.registerService(Servlet.class, new ExampleServlet(), properties);
}
@Deactivate
public void deactivate() {
if(servletRegistration != null) {
servletRegistration.unregister();
}
}
}If you launch the application and try the class file URL, nothing will happen.
I reproduced the problem you described with the VaadinServlet and used a Servlet Filter to reject the request for certains URL's (in that case everything that starts with /org):
@Component(scope = ServiceScope.PROTOTYPE)
@HttpWhiteboardFilterPattern("/*")
public class ExampleFilter implements Filter {
private String[] pathToBeIgnored = new String[]{"/org"};
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
String path = ((HttpServletRequest) request).getRequestURI();
if (!path.startsWith(ignore)) {
chain.doFilter(request, response); // Just continue chain.
} else {
HttpServletResponse r = (HttpServletResponse)response;
r.sendError(404);
}
}
@Override
public void destroy() {
// TODO Auto-generated method stub
}
}I hope this helps.
Regards,
Mark
-- Mark Hoffmann M.A. Dipl.-Betriebswirt (FH) Geschäftsführer Tel: +49 3641 384 910 0 Mobil: +49 175 701 2201 E-Mail: m.hoffmann@xxxxxxxxxxxxxxxxxx Web: www.datainmotion.de Data In Motion Consulting GmbH Kahlaische Straße 4 07745 Jena Geschäftsführer Mark Hoffmann Jürgen Albert Jena HRB 513025 Steuernummer 162/107/05779 USt-Id DE310002614
osgi-users mailing list
osgi-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/osgi-users
_______________________________________________ osgi-users mailing list osgi-users@xxxxxxxxxxx To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/osgi-users-- Mark Hoffmann M.A. Dipl.-Betriebswirt (FH) Geschäftsführer Tel: +49 3641 384 910 0 Mobil: +49 175 701 2201 E-Mail: m.hoffmann@xxxxxxxxxxxxxxxxxx Web: www.datainmotion.de Data In Motion Consulting GmbH Kahlaische Straße 4 07745 Jena Geschäftsführer Mark Hoffmann Jürgen Albert Jena HRB 513025 Steuernummer 162/107/05779 USt-Id DE310002614
osgi-users mailing list
osgi-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/osgi-users
_______________________________________________ osgi-users mailing list osgi-users@xxxxxxxxxxx To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/osgi-users
-- Mark Hoffmann M.A. Dipl.-Betriebswirt (FH) Geschäftsführer Tel: +49 3641 384 910 0 Mobil: +49 175 701 2201 E-Mail: m.hoffmann@xxxxxxxxxxxxxxxxxx Web: www.datainmotion.de Data In Motion Consulting GmbH Kahlaische Straße 4 07745 Jena Geschäftsführer Mark Hoffmann Jürgen Albert Jena HRB 513025 Steuernummer 162/107/05779 USt-Id DE310002614